diff options
author | Matthew Holt <mholt@users.noreply.github.com> | 2019-07-18 09:52:43 -0600 |
---|---|---|
committer | Matthew Holt <mholt@users.noreply.github.com> | 2019-07-18 09:52:43 -0600 |
commit | 28df6cedfe8d347bd87931960c01e6606c14851e (patch) | |
tree | 5c525082b7f5c8de2036831855a32057634b4b2d | |
parent | dd6aa91d724ce90dc56839bcbd6d8de3ed44646d (diff) |
tls: Use IANA-standard cipher suite names
-rw-r--r-- | modules.go | 2 | ||||
-rw-r--r-- | modules/caddytls/acmemanager.go | 9 | ||||
-rw-r--r-- | modules/caddytls/values.go | 50 |
3 files changed, 34 insertions, 27 deletions
@@ -86,7 +86,7 @@ func GetModules(scope string) []Module { // handle the special case of an empty scope, which // should match only the top-level modules - if len(scopeParts) == 1 && scopeParts[0] == "" { + if scope == "" { scopeParts = []string{} } diff --git a/modules/caddytls/acmemanager.go b/modules/caddytls/acmemanager.go index 13c515f..578cdb3 100644 --- a/modules/caddytls/acmemanager.go +++ b/modules/caddytls/acmemanager.go @@ -202,14 +202,5 @@ func onDemandAskRequest(ask string, name string) error { return nil } -// supportedCertKeyTypes is all the key types that are supported -// for certificates that are obtained through ACME. -var supportedCertKeyTypes = map[string]certcrypto.KeyType{ - "RSA2048": certcrypto.RSA2048, - "RSA4096": certcrypto.RSA4096, - "P256": certcrypto.EC256, - "P384": certcrypto.EC384, -} - // Interface guard var _ managerMaker = (*ACMEManagerMaker)(nil) diff --git a/modules/caddytls/values.go b/modules/caddytls/values.go index 97443d8..0c62058 100644 --- a/modules/caddytls/values.go +++ b/modules/caddytls/values.go @@ -18,28 +18,35 @@ import ( "crypto/tls" "crypto/x509" + "github.com/go-acme/lego/certcrypto" "github.com/klauspost/cpuid" ) // supportedCipherSuites is the unordered map of cipher suite -// string names to their definition in crypto/tls. -// TODO: might not be needed much longer, see: -// https://github.com/golang/go/issues/30325 +// string names to their definition in crypto/tls. All values +// should be IANA-reserved names. See +// https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml +// TODO: might not be needed much longer: https://github.com/golang/go/issues/30325 var supportedCipherSuites = map[string]uint16{ - "ECDHE_ECDSA_AES256_GCM_SHA384": tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - "ECDHE_RSA_AES256_GCM_SHA384": tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - "ECDHE_ECDSA_AES128_GCM_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - "ECDHE_RSA_AES128_GCM_SHA256": tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - "ECDHE_ECDSA_WITH_CHACHA20_POLY1305": tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, - "ECDHE_RSA_WITH_CHACHA20_POLY1305": tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, - "ECDHE_RSA_AES256_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, - "ECDHE_RSA_AES128_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, - "ECDHE_ECDSA_AES256_CBC_SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, - "ECDHE_ECDSA_AES128_CBC_SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, - "RSA_AES256_CBC_SHA": tls.TLS_RSA_WITH_AES_256_CBC_SHA, - "RSA_AES128_CBC_SHA": tls.TLS_RSA_WITH_AES_128_CBC_SHA, - "ECDHE_RSA_3DES_EDE_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, - "RSA_3DES_EDE_CBC_SHA": tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA, + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256": tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256": tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256": tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + "TLS_RSA_WITH_AES_128_GCM_SHA256": tls.TLS_RSA_WITH_AES_128_GCM_SHA256, + "TLS_RSA_WITH_AES_256_GCM_SHA384": tls.TLS_RSA_WITH_AES_256_GCM_SHA384, + "TLS_RSA_WITH_AES_256_CBC_SHA": tls.TLS_RSA_WITH_AES_256_CBC_SHA, + "TLS_RSA_WITH_AES_128_CBC_SHA256": tls.TLS_RSA_WITH_AES_128_CBC_SHA256, + "TLS_RSA_WITH_AES_128_CBC_SHA": tls.TLS_RSA_WITH_AES_128_CBC_SHA, + "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, + "TLS_RSA_WITH_3DES_EDE_CBC_SHA": tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA, } // defaultCipherSuites is the ordered list of all the cipher @@ -86,6 +93,15 @@ var supportedCurves = map[string]tls.CurveID{ "P521": tls.CurveP521, } +// supportedCertKeyTypes is all the key types that are supported +// for certificates that are obtained through ACME. +var supportedCertKeyTypes = map[string]certcrypto.KeyType{ + "RSA2048": certcrypto.RSA2048, + "RSA4096": certcrypto.RSA4096, + "P256": certcrypto.EC256, + "P384": certcrypto.EC384, +} + // defaultCurves is the list of only the curves we want to use // by default, in descending order of preference. // |