Commit 43020533 authored by Abiola Ibrahim's avatar Abiola Ibrahim

Merge remote-tracking branch 'upstream/master'

parents a946d65f a5836aeb
...@@ -90,7 +90,7 @@ func TLS(c *Controller) (middleware.Middleware, error) { ...@@ -90,7 +90,7 @@ func TLS(c *Controller) (middleware.Middleware, error) {
func SetDefaultTLSParams(c *server.Config) { func SetDefaultTLSParams(c *server.Config) {
// If no ciphers provided, use all that Caddy supports for the protocol // If no ciphers provided, use all that Caddy supports for the protocol
if len(c.TLS.Ciphers) == 0 { if len(c.TLS.Ciphers) == 0 {
c.TLS.Ciphers = supportedCiphers c.TLS.Ciphers = defaultCiphers
} }
// Not a cipher suite, but still important for mitigating protocol downgrade attacks // Not a cipher suite, but still important for mitigating protocol downgrade attacks
...@@ -159,3 +159,15 @@ var supportedCiphers = []uint16{ ...@@ -159,3 +159,15 @@ var supportedCiphers = []uint16{
tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA, tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
} }
// List of all the ciphers we want to use by default
var defaultCiphers = []uint16{
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
tls.TLS_RSA_WITH_AES_256_CBC_SHA,
tls.TLS_RSA_WITH_AES_128_CBC_SHA,
}
...@@ -42,15 +42,13 @@ func TestTLSParseBasic(t *testing.T) { ...@@ -42,15 +42,13 @@ func TestTLSParseBasic(t *testing.T) {
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
tls.TLS_RSA_WITH_AES_256_CBC_SHA, tls.TLS_RSA_WITH_AES_256_CBC_SHA,
tls.TLS_RSA_WITH_AES_128_CBC_SHA, tls.TLS_RSA_WITH_AES_128_CBC_SHA,
tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
tls.TLS_FALLBACK_SCSV, tls.TLS_FALLBACK_SCSV,
} }
// Ensure count is correct (plus one for TLS_FALLBACK_SCSV) // Ensure count is correct (plus one for TLS_FALLBACK_SCSV)
if len(c.TLS.Ciphers) != len(supportedCiphers)+1 { if len(c.TLS.Ciphers) != len(expectedCiphers) {
t.Errorf("Expected %v Ciphers (including TLS_FALLBACK_SCSV), got %v", t.Errorf("Expected %v Ciphers (including TLS_FALLBACK_SCSV), got %v",
len(supportedCiphers)+1, len(c.TLS.Ciphers)) len(expectedCiphers), len(c.TLS.Ciphers))
} }
// Ensure ordering is correct // Ensure ordering is correct
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment