Add custom CipherSuites

dmwm · Jun 18, 2024 · 9141c90 · 9141c90
1 parent 0d3729e
commit 9141c90
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 2 deletions.
diff --git a/data.go b/data.go
@@ -7,7 +7,7 @@ package main
 
 import (
 	"encoding/json"
-	"fmt"
+	"log"
 
 	"github.com/shirou/gopsutil/load"
 	"github.com/shirou/gopsutil/net"
@@ -65,6 +65,7 @@ type Configuration struct {
 	Providers           []string        `json:"providers`               // list of JWKS providers
 	MinTLSVersion       string          `json:"minTLSVersion"`          // minimum TLS version
 	MaxTLSVersion       string          `json:"maxTLSVersion"`          // maximum TLS version
+	CipherSuites        string          `json:"cipher_suites"`          // use custom CipherSuites
 	InsecureSkipVerify  bool            `json:"insecureSkipVerify"`     // tls configuration option
 	LetsEncrypt         bool            `json:"lets_encrypt"`           // start LetsEncrypt HTTPs server
 	DomainNames         []string        `json:"domain_names"`           // list of domain names to use for LetsEncrypt
@@ -82,8 +83,10 @@ func (c Configuration) String() string {
 	data, err := json.MarshalIndent(c, "", "  ")
 	if err == nil {
 		return string(data)
+	} else {
+		log.Println("unable to marshal Configuration object", err)
 	}
-	return fmt.Sprintf("%+v", c)
+	return ""
 }
 
 // ServerSettings controls server parameters

diff --git a/utils.go b/utils.go
@@ -236,6 +236,41 @@ func getServer(serverCrt, serverKey string, customVerify bool) (*http.Server, er
 		log.Println("use maxTLSVersion", maxVer)
 		tlsConfig.MaxVersion = uint16(maxVer)
 	}
+	if Config.CipherSuites == "frontend" {
+		tlsConfig.CipherSuites = []uint16{
+			// TLS 1.0 - 1.2 cipher suites.
+			tls.TLS_RSA_WITH_RC4_128_SHA,
+			tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+			tls.TLS_RSA_WITH_AES_128_CBC_SHA,
+			tls.TLS_RSA_WITH_AES_256_CBC_SHA,
+			tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
+			tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+			tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA,
+			tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+
+			// TLS 1.3 cipher suites.
+			tls.TLS_AES_128_GCM_SHA256,
+			tls.TLS_AES_256_GCM_SHA384,
+			tls.TLS_CHACHA20_POLY1305_SHA256,
+
+			// fallback
+			tls.TLS_FALLBACK_SCSV,
+		}
+	}
 	// setup HTTPs server
 	addr := fmt.Sprintf(":%d", Config.Port)
 	server := &http.Server{