summaryrefslogtreecommitdiff
path: root/modules
diff options
context:
space:
mode:
authorMatthew Holt <mholt@users.noreply.github.com>2020-04-01 14:09:29 -0600
committerMatthew Holt <mholt@users.noreply.github.com>2020-04-01 14:09:29 -0600
commitce3ca541d83aedac70b6c251c149ed91e1fb843a (patch)
treefc42c0d5baa9d427f200ddd93b03df31abe6a38f /modules
parent581f1defcb6de580d57f3c3e58b29950d2f42cb7 (diff)
caddytls: Update cipher suite names and curve names
Now using IANA-compliant names and Go 1.14's CipherSuites() function so we don't have to maintain our own mapping of currently-secure cipher suites.
Diffstat (limited to 'modules')
-rw-r--r--modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go6
-rw-r--r--modules/caddytls/connpolicy.go5
-rw-r--r--modules/caddytls/values.go60
3 files changed, 32 insertions, 39 deletions
diff --git a/modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go b/modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go
index cff6b39..915b8df 100644
--- a/modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go
+++ b/modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go
@@ -274,9 +274,9 @@ func (t Transport) buildEnv(r *http.Request) (map[string]string, error) {
env["SSL_PROTOCOL"] = v
}
// and pass the cipher suite in a manner compatible with apache's mod_ssl
- for k, v := range caddytls.SupportedCipherSuites {
- if v == r.TLS.CipherSuite {
- env["SSL_CIPHER"] = k
+ for _, cs := range caddytls.SupportedCipherSuites() {
+ if cs.ID == r.TLS.CipherSuite {
+ env["SSL_CIPHER"] = cs.Name
break
}
}
diff --git a/modules/caddytls/connpolicy.go b/modules/caddytls/connpolicy.go
index c821811..52ccdd9 100644
--- a/modules/caddytls/connpolicy.go
+++ b/modules/caddytls/connpolicy.go
@@ -214,7 +214,10 @@ func (p *ConnectionPolicy) buildStandardTLSConfig(ctx caddy.Context) error {
// add all the cipher suites in order, without duplicates
cipherSuitesAdded := make(map[uint16]struct{})
for _, csName := range p.CipherSuites {
- csID := SupportedCipherSuites[csName]
+ csID := CipherSuiteID(csName)
+ if csID == 0 {
+ return fmt.Errorf("unsupported cipher suite: %s", csName)
+ }
if _, ok := cipherSuitesAdded[csID]; !ok {
cipherSuitesAdded[csID] = struct{}{}
cfg.CipherSuites = append(cfg.CipherSuites, csID)
diff --git a/modules/caddytls/values.go b/modules/caddytls/values.go
index 40b0de0..f0944a3 100644
--- a/modules/caddytls/values.go
+++ b/modules/caddytls/values.go
@@ -23,35 +23,27 @@ import (
"github.com/klauspost/cpuid"
)
-// SupportedCipherSuites is the unordered map of cipher suite
-// string names to their definition in crypto/tls. All values
-// should be IANA-reserved names. See
-// https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml
-// Two of the cipher suite constants in the standard lib do not use the
-// full IANA name, but we do; see:
-// https://github.com/golang/go/issues/32061 and
-// https://github.com/golang/go/issues/30325#issuecomment-512862374.
-// TODO: might not be needed much longer: https://github.com/golang/go/issues/30325
-var SupportedCipherSuites = map[string]uint16{
- "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
- "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
- "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
- "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
- "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256": tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
- "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256": tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
- "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
- "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256": tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
- "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
- "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
- "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
- "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
- "TLS_RSA_WITH_AES_128_GCM_SHA256": tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
- "TLS_RSA_WITH_AES_256_GCM_SHA384": tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
- "TLS_RSA_WITH_AES_256_CBC_SHA": tls.TLS_RSA_WITH_AES_256_CBC_SHA,
- "TLS_RSA_WITH_AES_128_CBC_SHA256": tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
- "TLS_RSA_WITH_AES_128_CBC_SHA": tls.TLS_RSA_WITH_AES_128_CBC_SHA,
- "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
- "TLS_RSA_WITH_3DES_EDE_CBC_SHA": tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+// CipherSuiteNameSupported returns true if name is
+// a supported cipher suite.
+func CipherSuiteNameSupported(name string) bool {
+ return CipherSuiteID(name) != 0
+}
+
+// CipherSuiteID returns the ID of the cipher suite associated with
+// the given name, or 0 if the name is not recognized/supported.
+func CipherSuiteID(name string) uint16 {
+ for _, cs := range SupportedCipherSuites() {
+ if cs.Name == name {
+ return cs.ID
+ }
+ }
+ return 0
+}
+
+// SupportedCipherSuites returns a list of all the cipher suites
+// Caddy supports. The list is NOT ordered by security preference.
+func SupportedCipherSuites() []*tls.CipherSuite {
+ return tls.CipherSuites()
}
// defaultCipherSuites is the ordered list of all the cipher
@@ -92,12 +84,10 @@ func getOptimalDefaultCipherSuites() []uint16 {
// SupportedCurves is the unordered map of supported curves.
// https://golang.org/pkg/crypto/tls/#CurveID
var SupportedCurves = map[string]tls.CurveID{
- // TODO: Use IANA names, probably? see https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
- // All named crypto/elliptic curves have secpXXXr1 IANA names.
- "x25519": tls.X25519, // x25519, 29
- "p256": tls.CurveP256, // secp256r1, 23
- "p384": tls.CurveP384, // secp384r1, 24
- "p521": tls.CurveP521, // secp521r1, 25
+ "x25519": tls.X25519,
+ "secp256r1": tls.CurveP256,
+ "secp384r1": tls.CurveP384,
+ "secp521r1": tls.CurveP521,
}
// supportedCertKeyTypes is all the key types that are supported