summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatthew Holt <mholt@users.noreply.github.com>2019-07-01 11:47:46 -0600
committerMatthew Holt <mholt@users.noreply.github.com>2019-07-01 11:47:46 -0600
commit533d1afb4b4e61dc34282f5be88014f0952c9a00 (patch)
tree53b222366a0182270117f457be397a7b5d76a82f
parent9f8d3611eb9e29d673542877c3cc06a7456a5eea (diff)
tls: Enable TLS 1.3 by default; set sane defaults on tls.Config structs
-rw-r--r--modules/caddytls/connpolicy.go32
-rw-r--r--modules/caddytls/tls.go8
2 files changed, 40 insertions, 0 deletions
diff --git a/modules/caddytls/connpolicy.go b/modules/caddytls/connpolicy.go
index 89c91ad..ab0fbca 100644
--- a/modules/caddytls/connpolicy.go
+++ b/modules/caddytls/connpolicy.go
@@ -132,6 +132,10 @@ func (p *ConnectionPolicy) buildStandardTLSConfig(ctx caddy.Context) error {
}
tlsApp := tlsAppIface.(*TLS)
+ // fill in some "easy" default values, but for other values
+ // (such as slices), we should ensure that they start empty
+ // so the user-provided config can fill them in; then we will
+ // fill in a default config at the end if they are still unset
cfg := &tls.Config{
NextProtos: p.ALPN,
PreferServerCipherSuites: true,
@@ -210,11 +214,39 @@ func (p *ConnectionPolicy) buildStandardTLSConfig(ctx caddy.Context) error {
// TODO: client auth, and other fields
+ setDefaultTLSParams(cfg)
+
p.stdTLSConfig = cfg
return nil
}
+// setDefaultTLSParams sets the default TLS cipher suites, protocol versions,
+// and server preferences of cfg if they are not already set; it does not
+// overwrite values, only fills in missing values.
+func setDefaultTLSParams(cfg *tls.Config) {
+ if len(cfg.CipherSuites) == 0 {
+ cfg.CipherSuites = getOptimalDefaultCipherSuites()
+ }
+
+ // Not a cipher suite, but still important for mitigating protocol downgrade attacks
+ // (prepend since having it at end breaks http2 due to non-h2-approved suites before it)
+ cfg.CipherSuites = append([]uint16{tls.TLS_FALLBACK_SCSV}, cfg.CipherSuites...)
+
+ if len(cfg.CurvePreferences) == 0 {
+ cfg.CurvePreferences = defaultCurves
+ }
+
+ if cfg.MinVersion == 0 {
+ cfg.MinVersion = tls.VersionTLS12
+ }
+ if cfg.MaxVersion == 0 {
+ cfg.MaxVersion = tls.VersionTLS13
+ }
+
+ cfg.PreferServerCipherSuites = true
+}
+
// PublicKeyAlgorithm is a JSON-unmarshalable wrapper type.
type PublicKeyAlgorithm x509.PublicKeyAlgorithm
diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go
index 619aaee..b38657b 100644
--- a/modules/caddytls/tls.go
+++ b/modules/caddytls/tls.go
@@ -18,7 +18,9 @@ import (
"crypto/tls"
"encoding/json"
"fmt"
+ "log"
"net/http"
+ "os"
"time"
"github.com/caddyserver/caddy"
@@ -32,6 +34,12 @@ func init() {
Name: "tls",
New: func() interface{} { return new(TLS) },
})
+
+ // opt-in TLS 1.3 for Go1.12
+ // TODO: remove this line when Go1.13 is released.
+ if err := os.Setenv("GODEBUG", os.Getenv("GODEBUG")+",tls13=1"); err != nil {
+ log.Println("[ERROR] failed to set environment variable: ", err)
+ }
}
// TLS represents a process-wide TLS configuration.