From 9141c90c0b0a122d3633d5a6397446562035740a Mon Sep 17 00:00:00 2001
From: Valentin Kuznetsov <vkuznet@gmail.com>
Date: Tue, 18 Jun 2024 08:00:47 -0400
Subject: [PATCH] Add custom CipherSuites

---
 data.go  |  7 +++++--
 utils.go | 35 +++++++++++++++++++++++++++++++++++
 2 files changed, 40 insertions(+), 2 deletions(-)

diff --git a/data.go b/data.go
index ad37247..e13f9c5 100644
--- a/data.go
+++ b/data.go
@@ -7,7 +7,7 @@ package main
 
 import (
 	"encoding/json"
-	"fmt"
+	"log"
 
 	"github.com/shirou/gopsutil/load"
 	"github.com/shirou/gopsutil/net"
@@ -65,6 +65,7 @@ type Configuration struct {
 	Providers           []string        `json:"providers`               // list of JWKS providers
 	MinTLSVersion       string          `json:"minTLSVersion"`          // minimum TLS version
 	MaxTLSVersion       string          `json:"maxTLSVersion"`          // maximum TLS version
+	CipherSuites        string          `json:"cipher_suites"`          // use custom CipherSuites
 	InsecureSkipVerify  bool            `json:"insecureSkipVerify"`     // tls configuration option
 	LetsEncrypt         bool            `json:"lets_encrypt"`           // start LetsEncrypt HTTPs server
 	DomainNames         []string        `json:"domain_names"`           // list of domain names to use for LetsEncrypt
@@ -82,8 +83,10 @@ func (c Configuration) String() string {
 	data, err := json.MarshalIndent(c, "", "  ")
 	if err == nil {
 		return string(data)
+	} else {
+		log.Println("unable to marshal Configuration object", err)
 	}
-	return fmt.Sprintf("%+v", c)
+	return ""
 }
 
 // ServerSettings controls server parameters
diff --git a/utils.go b/utils.go
index 7787733..8c9c6db 100644
--- a/utils.go
+++ b/utils.go
@@ -236,6 +236,41 @@ func getServer(serverCrt, serverKey string, customVerify bool) (*http.Server, er
 		log.Println("use maxTLSVersion", maxVer)
 		tlsConfig.MaxVersion = uint16(maxVer)
 	}
+	if Config.CipherSuites == "frontend" {
+		tlsConfig.CipherSuites = []uint16{
+			// TLS 1.0 - 1.2 cipher suites.
+			tls.TLS_RSA_WITH_RC4_128_SHA,
+			tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+			tls.TLS_RSA_WITH_AES_128_CBC_SHA,
+			tls.TLS_RSA_WITH_AES_256_CBC_SHA,
+			tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
+			tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+			tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA,
+			tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+
+			// TLS 1.3 cipher suites.
+			tls.TLS_AES_128_GCM_SHA256,
+			tls.TLS_AES_256_GCM_SHA384,
+			tls.TLS_CHACHA20_POLY1305_SHA256,
+
+			// fallback
+			tls.TLS_FALLBACK_SCSV,
+		}
+	}
 	// setup HTTPs server
 	addr := fmt.Sprintf(":%d", Config.Port)
 	server := &http.Server{