Commit 72d0debd authored by Wèi Cōngruì's avatar Wèi Cōngruì Committed by Matt Holt

caddytls: add TLS 1.3 support and remove CBC ciphers (#2399)

parent 9037d3ab
...@@ -407,7 +407,7 @@ func SetDefaultTLSParams(config *Config) { ...@@ -407,7 +407,7 @@ func SetDefaultTLSParams(config *Config) {
config.ProtocolMinVersion = tls.VersionTLS12 config.ProtocolMinVersion = tls.VersionTLS12
} }
if config.ProtocolMaxVersion == 0 { if config.ProtocolMaxVersion == 0 {
config.ProtocolMaxVersion = tls.VersionTLS12 config.ProtocolMaxVersion = tls.VersionTLS13
} }
// Prefer server cipher suites // Prefer server cipher suites
...@@ -430,6 +430,7 @@ var SupportedProtocols = map[string]uint16{ ...@@ -430,6 +430,7 @@ var SupportedProtocols = map[string]uint16{
"tls1.0": tls.VersionTLS10, "tls1.0": tls.VersionTLS10,
"tls1.1": tls.VersionTLS11, "tls1.1": tls.VersionTLS11,
"tls1.2": tls.VersionTLS12, "tls1.2": tls.VersionTLS12,
"tls1.3": tls.VersionTLS13,
} }
// GetSupportedProtocolName returns the protocol name // GetSupportedProtocolName returns the protocol name
...@@ -489,10 +490,6 @@ var defaultCiphers = []uint16{ ...@@ -489,10 +490,6 @@ var defaultCiphers = []uint16{
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
} }
// List of ciphers we should prefer if native AESNI support is missing // List of ciphers we should prefer if native AESNI support is missing
...@@ -503,10 +500,6 @@ var defaultCiphersNonAESNI = []uint16{ ...@@ -503,10 +500,6 @@ var defaultCiphersNonAESNI = []uint16{
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
} }
// getPreferredDefaultCiphers returns an appropriate cipher suite to use, depending on // getPreferredDefaultCiphers returns an appropriate cipher suite to use, depending on
......
...@@ -34,6 +34,10 @@ import ( ...@@ -34,6 +34,10 @@ import (
) )
func init() { func init() {
// opt-in TLS 1.3 for Go1.12
// TODO: remove this line when Go1.13 is released.
os.Setenv("GODEBUG", os.Getenv("GODEBUG")+",tls13=1")
caddy.RegisterPlugin("tls", caddy.Plugin{Action: setupTLS}) caddy.RegisterPlugin("tls", caddy.Plugin{Action: setupTLS})
// ensure the default Storage implementation is plugged in // ensure the default Storage implementation is plugged in
......
...@@ -75,8 +75,8 @@ func TestSetupParseBasic(t *testing.T) { ...@@ -75,8 +75,8 @@ func TestSetupParseBasic(t *testing.T) {
if cfg.ProtocolMinVersion != tls.VersionTLS12 { if cfg.ProtocolMinVersion != tls.VersionTLS12 {
t.Errorf("Expected 'tls1.2 (0x0303)' as ProtocolMinVersion, got %#v", cfg.ProtocolMinVersion) t.Errorf("Expected 'tls1.2 (0x0303)' as ProtocolMinVersion, got %#v", cfg.ProtocolMinVersion)
} }
if cfg.ProtocolMaxVersion != tls.VersionTLS12 { if cfg.ProtocolMaxVersion != tls.VersionTLS13 {
t.Errorf("Expected 'tls1.2 (0x0303)' as ProtocolMaxVersion, got %v", cfg.ProtocolMaxVersion) t.Errorf("Expected 'tls1.3 (0x0304)' as ProtocolMaxVersion, got %#v", cfg.ProtocolMaxVersion)
} }
// Cipher checks // Cipher checks
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment