Make SSL cipher suite configurable (#17440)

2021-11-20 06:12:43 +00:00 · 2021-11-20 06:12:43 +00:00 · c96be0cd98
commit c96be0cd98
parent 9f14fe43c6
9 changed files with 266 additions and 54 deletions
--- a/modules/graceful/server.go
+++ b/modules/graceful/server.go
@ -95,48 +95,14 @@ func (srv *Server) ListenAndServe(serve ServeFunction) error {
 	return srv.Serve(serve)
 }

-// ListenAndServeTLS listens on the provided network address and then calls
-// Serve to handle requests on incoming TLS connections.
-//
-// Filenames containing a certificate and matching private key for the server must
-// be provided. If the certificate is signed by a certificate authority, the
-// certFile should be the concatenation of the server's certificate followed by the
-// CA's certificate.
-func (srv *Server) ListenAndServeTLS(certFile, keyFile string, serve ServeFunction) error {
-	config := &tls.Config{}
-	if config.NextProtos == nil {
-		config.NextProtos = []string{"h2", "http/1.1"}
-	}
-
-	config.Certificates = make([]tls.Certificate, 1)
-
-	certPEMBlock, err := os.ReadFile(certFile)
-	if err != nil {
-		log.Error("Failed to load https cert file %s for %s:%s: %v", certFile, srv.network, srv.address, err)
-		return err
-	}
-
-	keyPEMBlock, err := os.ReadFile(keyFile)
-	if err != nil {
-		log.Error("Failed to load https key file %s for %s:%s: %v", keyFile, srv.network, srv.address, err)
-		return err
-	}
-
-	config.Certificates[0], err = tls.X509KeyPair(certPEMBlock, keyPEMBlock)
-	if err != nil {
-		log.Error("Failed to create certificate from cert file %s and key file %s for %s:%s: %v", certFile, keyFile, srv.network, srv.address, err)
-		return err
-	}
-
-	return srv.ListenAndServeTLSConfig(config, serve)
-}
-
 // ListenAndServeTLSConfig listens on the provided network address and then calls
 // Serve to handle requests on incoming TLS connections.
 func (srv *Server) ListenAndServeTLSConfig(tlsConfig *tls.Config, serve ServeFunction) error {
 	go srv.awaitShutdown()

-	tlsConfig.MinVersion = tls.VersionTLS12
+	if tlsConfig.MinVersion == 0 {
+		tlsConfig.MinVersion = tls.VersionTLS12
+	}

 	l, err := GetListener(srv.network, srv.address)
 	if err != nil {
--- a/modules/graceful/server_http.go
+++ b/modules/graceful/server_http.go
@ -33,13 +33,6 @@ func HTTPListenAndServe(network, address, name string, handler http.Handler) err
 	return server.ListenAndServe(lHandler)
 }

-// HTTPListenAndServeTLS listens on the provided network address and then calls Serve
-// to handle requests on incoming connections.
-func HTTPListenAndServeTLS(network, address, name, certFile, keyFile string, handler http.Handler) error {
-	server, lHandler := newHTTPServer(network, address, name, handler)
-	return server.ListenAndServeTLS(certFile, keyFile, lHandler)
-}
-
 // HTTPListenAndServeTLSConfig listens on the provided network address and then calls Serve
 // to handle requests on incoming connections.
 func HTTPListenAndServeTLSConfig(network, address, name string, tlsConfig *tls.Config, handler http.Handler) error {
--- a/modules/setting/setting.go
+++ b/modules/setting/setting.go
@ -114,6 +114,10 @@ var (
 	LetsEncryptTOS       bool
 	LetsEncryptDirectory string
 	LetsEncryptEmail     string
+	SSLMinimumVersion    string
+	SSLMaximumVersion    string
+	SSLCurvePreferences  []string
+	SSLCipherSuites      []string
 	GracefulRestartable  bool
 	GracefulHammerTime   time.Duration
 	StartupTimeout       time.Duration
@ -618,6 +622,10 @@ func NewContext() {
 	}
 	LetsEncryptDirectory = sec.Key("LETSENCRYPT_DIRECTORY").MustString("https")
 	LetsEncryptEmail = sec.Key("LETSENCRYPT_EMAIL").MustString("")
+	SSLMinimumVersion = sec.Key("SSL_MIN_VERSION").MustString("")
+	SSLMaximumVersion = sec.Key("SSL_MAX_VERSION").MustString("")
+	SSLCurvePreferences = sec.Key("SSL_CURVE_PREFERENCES").Strings(",")
+	SSLCipherSuites = sec.Key("SSL_CIPHER_SUITES").Strings(",")
 	Domain = sec.Key("DOMAIN").MustString("localhost")
 	HTTPAddr = sec.Key("HTTP_ADDR").MustString("0.0.0.0")
 	HTTPPort = sec.Key("HTTP_PORT").MustString("3000")