mirror of
https://github.com/drakkan/sftpgo.git
synced 2024-11-22 07:30:25 +00:00
parent
82b26f81d6
commit
5d3288c37d
12 changed files with 162 additions and 19 deletions
|
@ -51,12 +51,14 @@ var (
|
||||||
TLSMode: 0,
|
TLSMode: 0,
|
||||||
ForcePassiveIP: "",
|
ForcePassiveIP: "",
|
||||||
ClientAuthType: 0,
|
ClientAuthType: 0,
|
||||||
|
TLSCipherSuites: nil,
|
||||||
}
|
}
|
||||||
defaultWebDAVDBinding = webdavd.Binding{
|
defaultWebDAVDBinding = webdavd.Binding{
|
||||||
Address: "",
|
Address: "",
|
||||||
Port: 0,
|
Port: 0,
|
||||||
EnableHTTPS: false,
|
EnableHTTPS: false,
|
||||||
ClientAuthType: 0,
|
ClientAuthType: 0,
|
||||||
|
TLSCipherSuites: nil,
|
||||||
}
|
}
|
||||||
defaultHTTPDBinding = httpd.Binding{
|
defaultHTTPDBinding = httpd.Binding{
|
||||||
Address: "127.0.0.1",
|
Address: "127.0.0.1",
|
||||||
|
@ -64,6 +66,7 @@ var (
|
||||||
EnableWebAdmin: true,
|
EnableWebAdmin: true,
|
||||||
EnableHTTPS: false,
|
EnableHTTPS: false,
|
||||||
ClientAuthType: 0,
|
ClientAuthType: 0,
|
||||||
|
TLSCipherSuites: nil,
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -238,6 +241,7 @@ func Init() {
|
||||||
AuthUserFile: "",
|
AuthUserFile: "",
|
||||||
CertificateFile: "",
|
CertificateFile: "",
|
||||||
CertificateKeyFile: "",
|
CertificateKeyFile: "",
|
||||||
|
TLSCipherSuites: nil,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -661,6 +665,12 @@ func getFTPDBindingFromEnv(idx int) {
|
||||||
isSet = true
|
isSet = true
|
||||||
}
|
}
|
||||||
|
|
||||||
|
tlsCiphers, ok := lookupStringListFromEnv(fmt.Sprintf("SFTPGO_FTPD__BINDINGS__%v__TLS_CIPHER_SUITES", idx))
|
||||||
|
if ok {
|
||||||
|
binding.TLSCipherSuites = tlsCiphers
|
||||||
|
isSet = true
|
||||||
|
}
|
||||||
|
|
||||||
if isSet {
|
if isSet {
|
||||||
if len(globalConf.FTPD.Bindings) > idx {
|
if len(globalConf.FTPD.Bindings) > idx {
|
||||||
globalConf.FTPD.Bindings[idx] = binding
|
globalConf.FTPD.Bindings[idx] = binding
|
||||||
|
@ -702,6 +712,12 @@ func getWebDAVDBindingFromEnv(idx int) {
|
||||||
isSet = true
|
isSet = true
|
||||||
}
|
}
|
||||||
|
|
||||||
|
tlsCiphers, ok := lookupStringListFromEnv(fmt.Sprintf("SFTPGO_WEBDAVD__BINDINGS__%v__TLS_CIPHER_SUITES", idx))
|
||||||
|
if ok {
|
||||||
|
binding.TLSCipherSuites = tlsCiphers
|
||||||
|
isSet = true
|
||||||
|
}
|
||||||
|
|
||||||
if isSet {
|
if isSet {
|
||||||
if len(globalConf.WebDAVD.Bindings) > idx {
|
if len(globalConf.WebDAVD.Bindings) > idx {
|
||||||
globalConf.WebDAVD.Bindings[idx] = binding
|
globalConf.WebDAVD.Bindings[idx] = binding
|
||||||
|
@ -749,6 +765,12 @@ func getHTTPDBindingFromEnv(idx int) {
|
||||||
isSet = true
|
isSet = true
|
||||||
}
|
}
|
||||||
|
|
||||||
|
tlsCiphers, ok := lookupStringListFromEnv(fmt.Sprintf("SFTPGO_HTTPD__BINDINGS__%v__TLS_CIPHER_SUITES", idx))
|
||||||
|
if ok {
|
||||||
|
binding.TLSCipherSuites = tlsCiphers
|
||||||
|
isSet = true
|
||||||
|
}
|
||||||
|
|
||||||
if isSet {
|
if isSet {
|
||||||
if len(globalConf.HTTPDConfig.Bindings) > idx {
|
if len(globalConf.HTTPDConfig.Bindings) > idx {
|
||||||
globalConf.HTTPDConfig.Bindings[idx] = binding
|
globalConf.HTTPDConfig.Bindings[idx] = binding
|
||||||
|
@ -888,6 +910,7 @@ func setViperDefaults() {
|
||||||
viper.SetDefault("telemetry.auth_user_file", globalConf.TelemetryConfig.AuthUserFile)
|
viper.SetDefault("telemetry.auth_user_file", globalConf.TelemetryConfig.AuthUserFile)
|
||||||
viper.SetDefault("telemetry.certificate_file", globalConf.TelemetryConfig.CertificateFile)
|
viper.SetDefault("telemetry.certificate_file", globalConf.TelemetryConfig.CertificateFile)
|
||||||
viper.SetDefault("telemetry.certificate_key_file", globalConf.TelemetryConfig.CertificateKeyFile)
|
viper.SetDefault("telemetry.certificate_key_file", globalConf.TelemetryConfig.CertificateKeyFile)
|
||||||
|
viper.SetDefault("telemetry.tls_cipher_suites", globalConf.TelemetryConfig.TLSCipherSuites)
|
||||||
}
|
}
|
||||||
|
|
||||||
func lookupBoolFromEnv(envName string) (bool, bool) {
|
func lookupBoolFromEnv(envName string) (bool, bool) {
|
||||||
|
@ -913,3 +936,15 @@ func lookupIntFromEnv(envName string) (int, bool) {
|
||||||
|
|
||||||
return 0, false
|
return 0, false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func lookupStringListFromEnv(envName string) ([]string, bool) {
|
||||||
|
value, ok := os.LookupEnv(envName)
|
||||||
|
if ok {
|
||||||
|
var result []string
|
||||||
|
for _, v := range strings.Split(value, ",") {
|
||||||
|
result = append(result, strings.TrimSpace(v))
|
||||||
|
}
|
||||||
|
return result, true
|
||||||
|
}
|
||||||
|
return nil, false
|
||||||
|
}
|
||||||
|
|
|
@ -538,6 +538,7 @@ func TestFTPDBindingsFromEnv(t *testing.T) {
|
||||||
os.Setenv("SFTPGO_FTPD__BINDINGS__0__APPLY_PROXY_CONFIG", "f")
|
os.Setenv("SFTPGO_FTPD__BINDINGS__0__APPLY_PROXY_CONFIG", "f")
|
||||||
os.Setenv("SFTPGO_FTPD__BINDINGS__0__TLS_MODE", "2")
|
os.Setenv("SFTPGO_FTPD__BINDINGS__0__TLS_MODE", "2")
|
||||||
os.Setenv("SFTPGO_FTPD__BINDINGS__0__FORCE_PASSIVE_IP", "127.0.1.2")
|
os.Setenv("SFTPGO_FTPD__BINDINGS__0__FORCE_PASSIVE_IP", "127.0.1.2")
|
||||||
|
os.Setenv("SFTPGO_FTPD__BINDINGS__0__TLS_CIPHER_SUITES", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256")
|
||||||
os.Setenv("SFTPGO_FTPD__BINDINGS__9__ADDRESS", "127.0.1.1")
|
os.Setenv("SFTPGO_FTPD__BINDINGS__9__ADDRESS", "127.0.1.1")
|
||||||
os.Setenv("SFTPGO_FTPD__BINDINGS__9__PORT", "2203")
|
os.Setenv("SFTPGO_FTPD__BINDINGS__9__PORT", "2203")
|
||||||
os.Setenv("SFTPGO_FTPD__BINDINGS__9__APPLY_PROXY_CONFIG", "t")
|
os.Setenv("SFTPGO_FTPD__BINDINGS__9__APPLY_PROXY_CONFIG", "t")
|
||||||
|
@ -551,6 +552,7 @@ func TestFTPDBindingsFromEnv(t *testing.T) {
|
||||||
os.Unsetenv("SFTPGO_FTPD__BINDINGS__0__APPLY_PROXY_CONFIG")
|
os.Unsetenv("SFTPGO_FTPD__BINDINGS__0__APPLY_PROXY_CONFIG")
|
||||||
os.Unsetenv("SFTPGO_FTPD__BINDINGS__0__TLS_MODE")
|
os.Unsetenv("SFTPGO_FTPD__BINDINGS__0__TLS_MODE")
|
||||||
os.Unsetenv("SFTPGO_FTPD__BINDINGS__0__FORCE_PASSIVE_IP")
|
os.Unsetenv("SFTPGO_FTPD__BINDINGS__0__FORCE_PASSIVE_IP")
|
||||||
|
os.Unsetenv("SFTPGO_FTPD__BINDINGS__0__TLS_CIPHER_SUITES")
|
||||||
os.Unsetenv("SFTPGO_FTPD__BINDINGS__9__ADDRESS")
|
os.Unsetenv("SFTPGO_FTPD__BINDINGS__9__ADDRESS")
|
||||||
os.Unsetenv("SFTPGO_FTPD__BINDINGS__9__PORT")
|
os.Unsetenv("SFTPGO_FTPD__BINDINGS__9__PORT")
|
||||||
os.Unsetenv("SFTPGO_FTPD__BINDINGS__9__APPLY_PROXY_CONFIG")
|
os.Unsetenv("SFTPGO_FTPD__BINDINGS__9__APPLY_PROXY_CONFIG")
|
||||||
|
@ -570,12 +572,16 @@ func TestFTPDBindingsFromEnv(t *testing.T) {
|
||||||
require.Equal(t, 2, bindings[0].TLSMode)
|
require.Equal(t, 2, bindings[0].TLSMode)
|
||||||
require.Equal(t, "127.0.1.2", bindings[0].ForcePassiveIP)
|
require.Equal(t, "127.0.1.2", bindings[0].ForcePassiveIP)
|
||||||
require.Equal(t, 0, bindings[0].ClientAuthType)
|
require.Equal(t, 0, bindings[0].ClientAuthType)
|
||||||
|
require.Len(t, bindings[0].TLSCipherSuites, 2)
|
||||||
|
require.Equal(t, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", bindings[0].TLSCipherSuites[0])
|
||||||
|
require.Equal(t, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", bindings[0].TLSCipherSuites[1])
|
||||||
require.Equal(t, 2203, bindings[1].Port)
|
require.Equal(t, 2203, bindings[1].Port)
|
||||||
require.Equal(t, "127.0.1.1", bindings[1].Address)
|
require.Equal(t, "127.0.1.1", bindings[1].Address)
|
||||||
require.True(t, bindings[1].ApplyProxyConfig)
|
require.True(t, bindings[1].ApplyProxyConfig)
|
||||||
require.Equal(t, 1, bindings[1].TLSMode)
|
require.Equal(t, 1, bindings[1].TLSMode)
|
||||||
require.Equal(t, "127.0.1.1", bindings[1].ForcePassiveIP)
|
require.Equal(t, "127.0.1.1", bindings[1].ForcePassiveIP)
|
||||||
require.Equal(t, 1, bindings[1].ClientAuthType)
|
require.Equal(t, 1, bindings[1].ClientAuthType)
|
||||||
|
require.Nil(t, bindings[1].TLSCipherSuites)
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestWebDAVBindingsFromEnv(t *testing.T) {
|
func TestWebDAVBindingsFromEnv(t *testing.T) {
|
||||||
|
@ -584,6 +590,7 @@ func TestWebDAVBindingsFromEnv(t *testing.T) {
|
||||||
os.Setenv("SFTPGO_WEBDAVD__BINDINGS__1__ADDRESS", "127.0.0.1")
|
os.Setenv("SFTPGO_WEBDAVD__BINDINGS__1__ADDRESS", "127.0.0.1")
|
||||||
os.Setenv("SFTPGO_WEBDAVD__BINDINGS__1__PORT", "8000")
|
os.Setenv("SFTPGO_WEBDAVD__BINDINGS__1__PORT", "8000")
|
||||||
os.Setenv("SFTPGO_WEBDAVD__BINDINGS__1__ENABLE_HTTPS", "0")
|
os.Setenv("SFTPGO_WEBDAVD__BINDINGS__1__ENABLE_HTTPS", "0")
|
||||||
|
os.Setenv("SFTPGO_WEBDAVD__BINDINGS__1__TLS_CIPHER_SUITES", "TLS_RSA_WITH_AES_128_CBC_SHA ")
|
||||||
os.Setenv("SFTPGO_WEBDAVD__BINDINGS__2__ADDRESS", "127.0.1.1")
|
os.Setenv("SFTPGO_WEBDAVD__BINDINGS__2__ADDRESS", "127.0.1.1")
|
||||||
os.Setenv("SFTPGO_WEBDAVD__BINDINGS__2__PORT", "9000")
|
os.Setenv("SFTPGO_WEBDAVD__BINDINGS__2__PORT", "9000")
|
||||||
os.Setenv("SFTPGO_WEBDAVD__BINDINGS__2__ENABLE_HTTPS", "1")
|
os.Setenv("SFTPGO_WEBDAVD__BINDINGS__2__ENABLE_HTTPS", "1")
|
||||||
|
@ -592,6 +599,7 @@ func TestWebDAVBindingsFromEnv(t *testing.T) {
|
||||||
os.Unsetenv("SFTPGO_WEBDAVD__BINDINGS__1__ADDRESS")
|
os.Unsetenv("SFTPGO_WEBDAVD__BINDINGS__1__ADDRESS")
|
||||||
os.Unsetenv("SFTPGO_WEBDAVD__BINDINGS__1__PORT")
|
os.Unsetenv("SFTPGO_WEBDAVD__BINDINGS__1__PORT")
|
||||||
os.Unsetenv("SFTPGO_WEBDAVD__BINDINGS__1__ENABLE_HTTPS")
|
os.Unsetenv("SFTPGO_WEBDAVD__BINDINGS__1__ENABLE_HTTPS")
|
||||||
|
os.Unsetenv("SFTPGO_WEBDAVD__BINDINGS__1__TLS_CIPHER_SUITES")
|
||||||
os.Unsetenv("SFTPGO_WEBDAVD__BINDINGS__2__ADDRESS")
|
os.Unsetenv("SFTPGO_WEBDAVD__BINDINGS__2__ADDRESS")
|
||||||
os.Unsetenv("SFTPGO_WEBDAVD__BINDINGS__2__PORT")
|
os.Unsetenv("SFTPGO_WEBDAVD__BINDINGS__2__PORT")
|
||||||
os.Unsetenv("SFTPGO_WEBDAVD__BINDINGS__2__ENABLE_HTTPS")
|
os.Unsetenv("SFTPGO_WEBDAVD__BINDINGS__2__ENABLE_HTTPS")
|
||||||
|
@ -606,14 +614,18 @@ func TestWebDAVBindingsFromEnv(t *testing.T) {
|
||||||
require.Equal(t, 0, bindings[0].Port)
|
require.Equal(t, 0, bindings[0].Port)
|
||||||
require.Empty(t, bindings[0].Address)
|
require.Empty(t, bindings[0].Address)
|
||||||
require.False(t, bindings[0].EnableHTTPS)
|
require.False(t, bindings[0].EnableHTTPS)
|
||||||
|
require.Len(t, bindings[0].TLSCipherSuites, 0)
|
||||||
require.Equal(t, 8000, bindings[1].Port)
|
require.Equal(t, 8000, bindings[1].Port)
|
||||||
require.Equal(t, "127.0.0.1", bindings[1].Address)
|
require.Equal(t, "127.0.0.1", bindings[1].Address)
|
||||||
require.False(t, bindings[1].EnableHTTPS)
|
require.False(t, bindings[1].EnableHTTPS)
|
||||||
require.Equal(t, 0, bindings[1].ClientAuthType)
|
require.Equal(t, 0, bindings[1].ClientAuthType)
|
||||||
|
require.Len(t, bindings[1].TLSCipherSuites, 1)
|
||||||
|
require.Equal(t, "TLS_RSA_WITH_AES_128_CBC_SHA", bindings[1].TLSCipherSuites[0])
|
||||||
require.Equal(t, 9000, bindings[2].Port)
|
require.Equal(t, 9000, bindings[2].Port)
|
||||||
require.Equal(t, "127.0.1.1", bindings[2].Address)
|
require.Equal(t, "127.0.1.1", bindings[2].Address)
|
||||||
require.True(t, bindings[2].EnableHTTPS)
|
require.True(t, bindings[2].EnableHTTPS)
|
||||||
require.Equal(t, 1, bindings[2].ClientAuthType)
|
require.Equal(t, 1, bindings[2].ClientAuthType)
|
||||||
|
require.Nil(t, bindings[2].TLSCipherSuites)
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestHTTPDBindingsFromEnv(t *testing.T) {
|
func TestHTTPDBindingsFromEnv(t *testing.T) {
|
||||||
|
@ -623,6 +635,7 @@ func TestHTTPDBindingsFromEnv(t *testing.T) {
|
||||||
|
|
||||||
os.Setenv("SFTPGO_HTTPD__BINDINGS__0__ADDRESS", sockPath)
|
os.Setenv("SFTPGO_HTTPD__BINDINGS__0__ADDRESS", sockPath)
|
||||||
os.Setenv("SFTPGO_HTTPD__BINDINGS__0__PORT", "0")
|
os.Setenv("SFTPGO_HTTPD__BINDINGS__0__PORT", "0")
|
||||||
|
os.Setenv("SFTPGO_HTTPD__BINDINGS__0__TLS_CIPHER_SUITES", " TLS_AES_128_GCM_SHA256")
|
||||||
os.Setenv("SFTPGO_HTTPD__BINDINGS__1__ADDRESS", "127.0.0.1")
|
os.Setenv("SFTPGO_HTTPD__BINDINGS__1__ADDRESS", "127.0.0.1")
|
||||||
os.Setenv("SFTPGO_HTTPD__BINDINGS__1__PORT", "8000")
|
os.Setenv("SFTPGO_HTTPD__BINDINGS__1__PORT", "8000")
|
||||||
os.Setenv("SFTPGO_HTTPD__BINDINGS__1__ENABLE_HTTPS", "0")
|
os.Setenv("SFTPGO_HTTPD__BINDINGS__1__ENABLE_HTTPS", "0")
|
||||||
|
@ -632,9 +645,11 @@ func TestHTTPDBindingsFromEnv(t *testing.T) {
|
||||||
os.Setenv("SFTPGO_HTTPD__BINDINGS__2__ENABLE_WEB_ADMIN", "0")
|
os.Setenv("SFTPGO_HTTPD__BINDINGS__2__ENABLE_WEB_ADMIN", "0")
|
||||||
os.Setenv("SFTPGO_HTTPD__BINDINGS__2__ENABLE_HTTPS", "1")
|
os.Setenv("SFTPGO_HTTPD__BINDINGS__2__ENABLE_HTTPS", "1")
|
||||||
os.Setenv("SFTPGO_HTTPD__BINDINGS__2__CLIENT_AUTH_TYPE", "1")
|
os.Setenv("SFTPGO_HTTPD__BINDINGS__2__CLIENT_AUTH_TYPE", "1")
|
||||||
|
os.Setenv("SFTPGO_HTTPD__BINDINGS__2__TLS_CIPHER_SUITES", " TLS_AES_256_GCM_SHA384 , TLS_CHACHA20_POLY1305_SHA256")
|
||||||
t.Cleanup(func() {
|
t.Cleanup(func() {
|
||||||
os.Unsetenv("SFTPGO_HTTPD__BINDINGS__0__ADDRESS")
|
os.Unsetenv("SFTPGO_HTTPD__BINDINGS__0__ADDRESS")
|
||||||
os.Unsetenv("SFTPGO_HTTPD__BINDINGS__0__PORT")
|
os.Unsetenv("SFTPGO_HTTPD__BINDINGS__0__PORT")
|
||||||
|
os.Unsetenv("SFTPGO_HTTPD__BINDINGS__0__TLS_CIPHER_SUITES")
|
||||||
os.Unsetenv("SFTPGO_HTTPD__BINDINGS__1__ADDRESS")
|
os.Unsetenv("SFTPGO_HTTPD__BINDINGS__1__ADDRESS")
|
||||||
os.Unsetenv("SFTPGO_HTTPD__BINDINGS__1__PORT")
|
os.Unsetenv("SFTPGO_HTTPD__BINDINGS__1__PORT")
|
||||||
os.Unsetenv("SFTPGO_HTTPD__BINDINGS__1__ENABLE_HTTPS")
|
os.Unsetenv("SFTPGO_HTTPD__BINDINGS__1__ENABLE_HTTPS")
|
||||||
|
@ -644,6 +659,7 @@ func TestHTTPDBindingsFromEnv(t *testing.T) {
|
||||||
os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__ENABLE_HTTPS")
|
os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__ENABLE_HTTPS")
|
||||||
os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__ENABLE_WEB_ADMIN")
|
os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__ENABLE_WEB_ADMIN")
|
||||||
os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__CLIENT_AUTH_TYPE")
|
os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__CLIENT_AUTH_TYPE")
|
||||||
|
os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__TLS_CIPHER_SUITES")
|
||||||
})
|
})
|
||||||
|
|
||||||
configDir := ".."
|
configDir := ".."
|
||||||
|
@ -655,16 +671,22 @@ func TestHTTPDBindingsFromEnv(t *testing.T) {
|
||||||
require.Equal(t, sockPath, bindings[0].Address)
|
require.Equal(t, sockPath, bindings[0].Address)
|
||||||
require.False(t, bindings[0].EnableHTTPS)
|
require.False(t, bindings[0].EnableHTTPS)
|
||||||
require.True(t, bindings[0].EnableWebAdmin)
|
require.True(t, bindings[0].EnableWebAdmin)
|
||||||
|
require.Len(t, bindings[0].TLSCipherSuites, 1)
|
||||||
|
require.Equal(t, "TLS_AES_128_GCM_SHA256", bindings[0].TLSCipherSuites[0])
|
||||||
require.Equal(t, 8000, bindings[1].Port)
|
require.Equal(t, 8000, bindings[1].Port)
|
||||||
require.Equal(t, "127.0.0.1", bindings[1].Address)
|
require.Equal(t, "127.0.0.1", bindings[1].Address)
|
||||||
require.False(t, bindings[1].EnableHTTPS)
|
require.False(t, bindings[1].EnableHTTPS)
|
||||||
require.True(t, bindings[1].EnableWebAdmin)
|
require.True(t, bindings[1].EnableWebAdmin)
|
||||||
|
require.Nil(t, bindings[1].TLSCipherSuites)
|
||||||
|
|
||||||
require.Equal(t, 9000, bindings[2].Port)
|
require.Equal(t, 9000, bindings[2].Port)
|
||||||
require.Equal(t, "127.0.1.1", bindings[2].Address)
|
require.Equal(t, "127.0.1.1", bindings[2].Address)
|
||||||
require.True(t, bindings[2].EnableHTTPS)
|
require.True(t, bindings[2].EnableHTTPS)
|
||||||
require.False(t, bindings[2].EnableWebAdmin)
|
require.False(t, bindings[2].EnableWebAdmin)
|
||||||
require.Equal(t, 1, bindings[2].ClientAuthType)
|
require.Equal(t, 1, bindings[2].ClientAuthType)
|
||||||
|
require.Len(t, bindings[2].TLSCipherSuites, 2)
|
||||||
|
require.Equal(t, "TLS_AES_256_GCM_SHA384", bindings[2].TLSCipherSuites[0])
|
||||||
|
require.Equal(t, "TLS_CHACHA20_POLY1305_SHA256", bindings[2].TLSCipherSuites[1])
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestHTTPClientCertificatesFromEnv(t *testing.T) {
|
func TestHTTPClientCertificatesFromEnv(t *testing.T) {
|
||||||
|
@ -738,6 +760,7 @@ func TestConfigFromEnv(t *testing.T) {
|
||||||
os.Setenv("SFTPGO_DATA_PROVIDER__ACTIONS__EXECUTE_ON", "add")
|
os.Setenv("SFTPGO_DATA_PROVIDER__ACTIONS__EXECUTE_ON", "add")
|
||||||
os.Setenv("SFTPGO_KMS__SECRETS__URL", "local")
|
os.Setenv("SFTPGO_KMS__SECRETS__URL", "local")
|
||||||
os.Setenv("SFTPGO_KMS__SECRETS__MASTER_KEY_PATH", "path")
|
os.Setenv("SFTPGO_KMS__SECRETS__MASTER_KEY_PATH", "path")
|
||||||
|
os.Setenv("SFTPGO_TELEMETRY__TLS_CIPHER_SUITES", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA")
|
||||||
t.Cleanup(func() {
|
t.Cleanup(func() {
|
||||||
os.Unsetenv("SFTPGO_SFTPD__BINDINGS__0__ADDRESS")
|
os.Unsetenv("SFTPGO_SFTPD__BINDINGS__0__ADDRESS")
|
||||||
os.Unsetenv("SFTPGO_WEBDAVD__BINDINGS__0__PORT")
|
os.Unsetenv("SFTPGO_WEBDAVD__BINDINGS__0__PORT")
|
||||||
|
@ -746,6 +769,7 @@ func TestConfigFromEnv(t *testing.T) {
|
||||||
os.Unsetenv("SFTPGO_DATA_PROVIDER__ACTIONS__EXECUTE_ON")
|
os.Unsetenv("SFTPGO_DATA_PROVIDER__ACTIONS__EXECUTE_ON")
|
||||||
os.Unsetenv("SFTPGO_KMS__SECRETS__URL")
|
os.Unsetenv("SFTPGO_KMS__SECRETS__URL")
|
||||||
os.Unsetenv("SFTPGO_KMS__SECRETS__MASTER_KEY_PATH")
|
os.Unsetenv("SFTPGO_KMS__SECRETS__MASTER_KEY_PATH")
|
||||||
|
os.Unsetenv("SFTPGO_TELEMETRY__TLS_CIPHER_SUITES")
|
||||||
})
|
})
|
||||||
err := config.LoadConfig(".", "invalid config")
|
err := config.LoadConfig(".", "invalid config")
|
||||||
assert.NoError(t, err)
|
assert.NoError(t, err)
|
||||||
|
@ -760,4 +784,8 @@ func TestConfigFromEnv(t *testing.T) {
|
||||||
kmsConfig := config.GetKMSConfig()
|
kmsConfig := config.GetKMSConfig()
|
||||||
assert.Equal(t, "local", kmsConfig.Secrets.URL)
|
assert.Equal(t, "local", kmsConfig.Secrets.URL)
|
||||||
assert.Equal(t, "path", kmsConfig.Secrets.MasterKeyPath)
|
assert.Equal(t, "path", kmsConfig.Secrets.MasterKeyPath)
|
||||||
|
telemetryConfig := config.GetTelemetryConfig()
|
||||||
|
assert.Len(t, telemetryConfig.TLSCipherSuites, 2)
|
||||||
|
assert.Equal(t, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", telemetryConfig.TLSCipherSuites[0])
|
||||||
|
assert.Equal(t, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", telemetryConfig.TLSCipherSuites[1])
|
||||||
}
|
}
|
||||||
|
|
|
@ -110,6 +110,7 @@ The configuration file contains the following sections:
|
||||||
- `tls_mode`, integer. 0 means accept both cleartext and encrypted sessions. 1 means TLS is required for both control and data connection. 2 means implicit TLS. Do not enable this blindly, please check that a proper TLS config is in place if you set `tls_mode` is different from 0.
|
- `tls_mode`, integer. 0 means accept both cleartext and encrypted sessions. 1 means TLS is required for both control and data connection. 2 means implicit TLS. Do not enable this blindly, please check that a proper TLS config is in place if you set `tls_mode` is different from 0.
|
||||||
- `force_passive_ip`, ip address. External IP address to expose for passive connections. Leavy empty to autodetect. Defaut: "".
|
- `force_passive_ip`, ip address. External IP address to expose for passive connections. Leavy empty to autodetect. Defaut: "".
|
||||||
- `client_auth_type`, integer. Set to `1` to require client certificate authentication in addition to FTP authentication. You need to define at least a certificate authority for this to work. Default: 0.
|
- `client_auth_type`, integer. Set to `1` to require client certificate authentication in addition to FTP authentication. You need to define at least a certificate authority for this to work. Default: 0.
|
||||||
|
- `tls_cipher_suites`, list of strings. List of supported cipher suites for TLS version 1.2. If empty, a default list of secure cipher suites is used, with a preference order based on hardware performance. Note that TLS 1.3 ciphersuites are not configurable. The supported ciphersuites names are defined [here](https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L52). Any invalid name will be silently ignored. The order matters, the ciphers listed first will be the preferred ones. Default: empty.
|
||||||
- `bind_port`, integer. Deprecated, please use `bindings`
|
- `bind_port`, integer. Deprecated, please use `bindings`
|
||||||
- `bind_address`, string. Deprecated, please use `bindings`
|
- `bind_address`, string. Deprecated, please use `bindings`
|
||||||
- `banner`, string. Greeting banner displayed when a connection first comes in. Leave empty to use the default banner. Default `SFTPGo <version> ready`, for example `SFTPGo 1.0.0-dev ready`.
|
- `banner`, string. Greeting banner displayed when a connection first comes in. Leave empty to use the default banner. Default `SFTPGo <version> ready`, for example `SFTPGo 1.0.0-dev ready`.
|
||||||
|
@ -132,6 +133,7 @@ The configuration file contains the following sections:
|
||||||
- `address`, string. Leave blank to listen on all available network interfaces. Default: "".
|
- `address`, string. Leave blank to listen on all available network interfaces. Default: "".
|
||||||
- `enable_https`, boolean. Set to `true` and provide both a certificate and a key file to enable HTTPS connection for this binding. Default `false`.
|
- `enable_https`, boolean. Set to `true` and provide both a certificate and a key file to enable HTTPS connection for this binding. Default `false`.
|
||||||
- `client_auth_type`, integer. Set to `1` to require client certificate authentication in addition to basic authentication. You need to define at least a certificate authority for this to work. Default: 0.
|
- `client_auth_type`, integer. Set to `1` to require client certificate authentication in addition to basic authentication. You need to define at least a certificate authority for this to work. Default: 0.
|
||||||
|
- `tls_cipher_suites`, list of strings. List of supported cipher suites for TLS version 1.2. If empty, a default list of secure cipher suites is used, with a preference order based on hardware performance. Note that TLS 1.3 ciphersuites are not configurable. The supported ciphersuites names are defined [here](https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L52). Any invalid name will be silently ignored. The order matters, the ciphers listed first will be the preferred ones. Default: empty.
|
||||||
- `bind_port`, integer. Deprecated, please use `bindings`.
|
- `bind_port`, integer. Deprecated, please use `bindings`.
|
||||||
- `bind_address`, string. Deprecated, please use `bindings`.
|
- `bind_address`, string. Deprecated, please use `bindings`.
|
||||||
- `certificate_file`, string. Certificate for WebDAV over HTTPS. This can be an absolute path or a path relative to the config dir.
|
- `certificate_file`, string. Certificate for WebDAV over HTTPS. This can be an absolute path or a path relative to the config dir.
|
||||||
|
@ -193,6 +195,7 @@ The configuration file contains the following sections:
|
||||||
- `enable_web_admin`, boolean. Set to `false` to disable the built-in web admin for this binding. You also need to define `templates_path` and `static_files_path` to enable the built-in web admin interface. Default `true`.
|
- `enable_web_admin`, boolean. Set to `false` to disable the built-in web admin for this binding. You also need to define `templates_path` and `static_files_path` to enable the built-in web admin interface. Default `true`.
|
||||||
- `enable_https`, boolean. Set to `true` and provide both a certificate and a key file to enable HTTPS connection for this binding. Default `false`.
|
- `enable_https`, boolean. Set to `true` and provide both a certificate and a key file to enable HTTPS connection for this binding. Default `false`.
|
||||||
- `client_auth_type`, integer. Set to `1` to require client certificate authentication in addition to JWT/Web authentication. You need to define at least a certificate authority for this to work. Default: 0.
|
- `client_auth_type`, integer. Set to `1` to require client certificate authentication in addition to JWT/Web authentication. You need to define at least a certificate authority for this to work. Default: 0.
|
||||||
|
- `tls_cipher_suites`, list of strings. List of supported cipher suites for TLS version 1.2. If empty, a default list of secure cipher suites is used, with a preference order based on hardware performance. Note that TLS 1.3 ciphersuites are not configurable. The supported ciphersuites names are defined [here](https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L52). Any invalid name will be silently ignored. The order matters, the ciphers listed first will be the preferred ones. Default: empty.
|
||||||
- `bind_port`, integer. Deprecated, please use `bindings`.
|
- `bind_port`, integer. Deprecated, please use `bindings`.
|
||||||
- `bind_address`, string. Deprecated, please use `bindings`. Leave blank to listen on all available network interfaces. On \*NIX you can specify an absolute path to listen on a Unix-domain socket. Default: "127.0.0.1"
|
- `bind_address`, string. Deprecated, please use `bindings`. Leave blank to listen on all available network interfaces. On \*NIX you can specify an absolute path to listen on a Unix-domain socket. Default: "127.0.0.1"
|
||||||
- `templates_path`, string. Path to the HTML web templates. This can be an absolute path or a path relative to the config dir
|
- `templates_path`, string. Path to the HTML web templates. This can be an absolute path or a path relative to the config dir
|
||||||
|
@ -209,6 +212,7 @@ The configuration file contains the following sections:
|
||||||
- `auth_user_file`, string. Path to a file used to store usernames and passwords for basic authentication. This can be an absolute path or a path relative to the config dir. We support HTTP basic authentication, and the file format must conform to the one generated using the Apache `htpasswd` tool. The supported password formats are bcrypt (`$2y$` prefix) and md5 crypt (`$apr1$` prefix). If empty, HTTP authentication is disabled. Authentication will be always disabled for the `/healthz` endpoint.
|
- `auth_user_file`, string. Path to a file used to store usernames and passwords for basic authentication. This can be an absolute path or a path relative to the config dir. We support HTTP basic authentication, and the file format must conform to the one generated using the Apache `htpasswd` tool. The supported password formats are bcrypt (`$2y$` prefix) and md5 crypt (`$apr1$` prefix). If empty, HTTP authentication is disabled. Authentication will be always disabled for the `/healthz` endpoint.
|
||||||
- `certificate_file`, string. Certificate for HTTPS. This can be an absolute path or a path relative to the config dir.
|
- `certificate_file`, string. Certificate for HTTPS. This can be an absolute path or a path relative to the config dir.
|
||||||
- `certificate_key_file`, string. Private key matching the above certificate. This can be an absolute path or a path relative to the config dir. If both the certificate and the private key are provided, the server will expect HTTPS connections. Certificate and key files can be reloaded on demand sending a `SIGHUP` signal on Unix based systems and a `paramchange` request to the running service on Windows.
|
- `certificate_key_file`, string. Private key matching the above certificate. This can be an absolute path or a path relative to the config dir. If both the certificate and the private key are provided, the server will expect HTTPS connections. Certificate and key files can be reloaded on demand sending a `SIGHUP` signal on Unix based systems and a `paramchange` request to the running service on Windows.
|
||||||
|
- `tls_cipher_suites`, list of strings. List of supported cipher suites for TLS version 1.2. If empty, a default list of secure cipher suites is used, with a preference order based on hardware performance. Note that TLS 1.3 ciphersuites are not configurable. The supported ciphersuites names are defined [here](https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L52). Any invalid name will be silently ignored. The order matters, the ciphers listed first will be the preferred ones. Default: empty.
|
||||||
- **"http"**, the configuration for HTTP clients. HTTP clients are used for executing hooks. Some hooks use a retryable HTTP client, for these hooks you can configure the time between retries and the number of retries. Please check the hook specific documentation to understand which hooks use a retryable HTTP client.
|
- **"http"**, the configuration for HTTP clients. HTTP clients are used for executing hooks. Some hooks use a retryable HTTP client, for these hooks you can configure the time between retries and the number of retries. Please check the hook specific documentation to understand which hooks use a retryable HTTP client.
|
||||||
- `timeout`, integer. Timeout specifies a time limit, in seconds, for requests. For requests with retries this is the timeout for a single request
|
- `timeout`, integer. Timeout specifies a time limit, in seconds, for requests. For requests with retries this is the timeout for a single request
|
||||||
- `retry_wait_min`, integer. Defines the minimum waiting time between attempts in seconds.
|
- `retry_wait_min`, integer. Defines the minimum waiting time between attempts in seconds.
|
||||||
|
|
11
ftpd/ftpd.go
11
ftpd/ftpd.go
|
@ -37,6 +37,17 @@ type Binding struct {
|
||||||
// set to 1 to require client certificate authentication in addition to FTP auth.
|
// set to 1 to require client certificate authentication in addition to FTP auth.
|
||||||
// You need to define at least a certificate authority for this to work
|
// You need to define at least a certificate authority for this to work
|
||||||
ClientAuthType int `json:"client_auth_type" mapstructure:"client_auth_type"`
|
ClientAuthType int `json:"client_auth_type" mapstructure:"client_auth_type"`
|
||||||
|
// TLSCipherSuites is a list of supported cipher suites for TLS version 1.2.
|
||||||
|
// If CipherSuites is nil/empty, a default list of secure cipher suites
|
||||||
|
// is used, with a preference order based on hardware performance.
|
||||||
|
// Note that TLS 1.3 ciphersuites are not configurable.
|
||||||
|
// The supported ciphersuites names are defined here:
|
||||||
|
//
|
||||||
|
// https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L52
|
||||||
|
//
|
||||||
|
// any invalid name will be silently ignored.
|
||||||
|
// The order matters, the ciphers listed first will be the preferred ones.
|
||||||
|
TLSCipherSuites []string `json:"tls_cipher_suites" mapstructure:"tls_cipher_suites"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetAddress returns the binding address
|
// GetAddress returns the binding address
|
||||||
|
|
|
@ -162,6 +162,7 @@ func (s *Server) GetTLSConfig() (*tls.Config, error) {
|
||||||
tlsConfig := &tls.Config{
|
tlsConfig := &tls.Config{
|
||||||
GetCertificate: certMgr.GetCertificateFunc(),
|
GetCertificate: certMgr.GetCertificateFunc(),
|
||||||
MinVersion: tls.VersionTLS12,
|
MinVersion: tls.VersionTLS12,
|
||||||
|
CipherSuites: utils.GetTLSCiphersFromNames(s.binding.TLSCipherSuites),
|
||||||
}
|
}
|
||||||
if s.binding.ClientAuthType == 1 {
|
if s.binding.ClientAuthType == 1 {
|
||||||
tlsConfig.ClientCAs = certMgr.GetRootCAs()
|
tlsConfig.ClientCAs = certMgr.GetRootCAs()
|
||||||
|
|
|
@ -96,6 +96,17 @@ type Binding struct {
|
||||||
// set to 1 to require client certificate authentication in addition to basic auth.
|
// set to 1 to require client certificate authentication in addition to basic auth.
|
||||||
// You need to define at least a certificate authority for this to work
|
// You need to define at least a certificate authority for this to work
|
||||||
ClientAuthType int `json:"client_auth_type" mapstructure:"client_auth_type"`
|
ClientAuthType int `json:"client_auth_type" mapstructure:"client_auth_type"`
|
||||||
|
// TLSCipherSuites is a list of supported cipher suites for TLS version 1.2.
|
||||||
|
// If CipherSuites is nil/empty, a default list of secure cipher suites
|
||||||
|
// is used, with a preference order based on hardware performance.
|
||||||
|
// Note that TLS 1.3 ciphersuites are not configurable.
|
||||||
|
// The supported ciphersuites names are defined here:
|
||||||
|
//
|
||||||
|
// https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L52
|
||||||
|
//
|
||||||
|
// any invalid name will be silently ignored.
|
||||||
|
// The order matters, the ciphers listed first will be the preferred ones.
|
||||||
|
TLSCipherSuites []string `json:"tls_cipher_suites" mapstructure:"tls_cipher_suites"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetAddress returns the binding address
|
// GetAddress returns the binding address
|
||||||
|
|
|
@ -53,7 +53,11 @@ func (s *httpdServer) listenAndServe() error {
|
||||||
config := &tls.Config{
|
config := &tls.Config{
|
||||||
GetCertificate: certMgr.GetCertificateFunc(),
|
GetCertificate: certMgr.GetCertificateFunc(),
|
||||||
MinVersion: tls.VersionTLS12,
|
MinVersion: tls.VersionTLS12,
|
||||||
|
CipherSuites: utils.GetTLSCiphersFromNames(s.binding.TLSCipherSuites),
|
||||||
|
PreferServerCipherSuites: true,
|
||||||
}
|
}
|
||||||
|
logger.Debug(logSender, "", "configured TLS cipher suites for binding %#v: %v", s.binding.GetAddress(),
|
||||||
|
config.CipherSuites)
|
||||||
httpServer.TLSConfig = config
|
httpServer.TLSConfig = config
|
||||||
if s.binding.ClientAuthType == 1 {
|
if s.binding.ClientAuthType == 1 {
|
||||||
httpServer.TLSConfig.ClientCAs = certMgr.GetRootCAs()
|
httpServer.TLSConfig.ClientCAs = certMgr.GetRootCAs()
|
||||||
|
|
12
sftpgo.json
12
sftpgo.json
|
@ -59,7 +59,8 @@
|
||||||
"apply_proxy_config": true,
|
"apply_proxy_config": true,
|
||||||
"tls_mode": 0,
|
"tls_mode": 0,
|
||||||
"force_passive_ip": "",
|
"force_passive_ip": "",
|
||||||
"client_auth_type": 0
|
"client_auth_type": 0,
|
||||||
|
"tls_cipher_suites": []
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"banner": "",
|
"banner": "",
|
||||||
|
@ -84,7 +85,8 @@
|
||||||
"port": 0,
|
"port": 0,
|
||||||
"address": "",
|
"address": "",
|
||||||
"enable_https": false,
|
"enable_https": false,
|
||||||
"client_auth_type": 0
|
"client_auth_type": 0,
|
||||||
|
"tls_cipher_suites": []
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"certificate_file": "",
|
"certificate_file": "",
|
||||||
|
@ -153,7 +155,8 @@
|
||||||
"address": "127.0.0.1",
|
"address": "127.0.0.1",
|
||||||
"enable_web_admin": true,
|
"enable_web_admin": true,
|
||||||
"enable_https": false,
|
"enable_https": false,
|
||||||
"client_auth_type": 0
|
"client_auth_type": 0,
|
||||||
|
"tls_cipher_suites": []
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"templates_path": "templates",
|
"templates_path": "templates",
|
||||||
|
@ -170,7 +173,8 @@
|
||||||
"enable_profiler": false,
|
"enable_profiler": false,
|
||||||
"auth_user_file": "",
|
"auth_user_file": "",
|
||||||
"certificate_file": "",
|
"certificate_file": "",
|
||||||
"certificate_key_file": ""
|
"certificate_key_file": "",
|
||||||
|
"tls_cipher_suites": []
|
||||||
},
|
},
|
||||||
"http": {
|
"http": {
|
||||||
"timeout": 20,
|
"timeout": 20,
|
||||||
|
|
|
@ -52,6 +52,17 @@ type Conf struct {
|
||||||
// "paramchange" request to the running service on Windows.
|
// "paramchange" request to the running service on Windows.
|
||||||
CertificateFile string `json:"certificate_file" mapstructure:"certificate_file"`
|
CertificateFile string `json:"certificate_file" mapstructure:"certificate_file"`
|
||||||
CertificateKeyFile string `json:"certificate_key_file" mapstructure:"certificate_key_file"`
|
CertificateKeyFile string `json:"certificate_key_file" mapstructure:"certificate_key_file"`
|
||||||
|
// TLSCipherSuites is a list of supported cipher suites for TLS version 1.2.
|
||||||
|
// If CipherSuites is nil/empty, a default list of secure cipher suites
|
||||||
|
// is used, with a preference order based on hardware performance.
|
||||||
|
// Note that TLS 1.3 ciphersuites are not configurable.
|
||||||
|
// The supported ciphersuites names are defined here:
|
||||||
|
//
|
||||||
|
// https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L52
|
||||||
|
//
|
||||||
|
// any invalid name will be silently ignored.
|
||||||
|
// The order matters, the ciphers listed first will be the preferred ones.
|
||||||
|
TLSCipherSuites []string `json:"tls_cipher_suites" mapstructure:"tls_cipher_suites"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// ShouldBind returns true if there service must be started
|
// ShouldBind returns true if there service must be started
|
||||||
|
@ -93,7 +104,10 @@ func (c Conf) Initialize(configDir string) error {
|
||||||
config := &tls.Config{
|
config := &tls.Config{
|
||||||
GetCertificate: certMgr.GetCertificateFunc(),
|
GetCertificate: certMgr.GetCertificateFunc(),
|
||||||
MinVersion: tls.VersionTLS12,
|
MinVersion: tls.VersionTLS12,
|
||||||
|
CipherSuites: utils.GetTLSCiphersFromNames(c.TLSCipherSuites),
|
||||||
|
PreferServerCipherSuites: true,
|
||||||
}
|
}
|
||||||
|
logger.Debug(logSender, "", "configured TLS cipher suites: %v", config.CipherSuites)
|
||||||
httpServer.TLSConfig = config
|
httpServer.TLSConfig = config
|
||||||
return utils.HTTPListenAndServe(httpServer, c.BindAddress, c.BindPort, true, logSender)
|
return utils.HTTPListenAndServe(httpServer, c.BindAddress, c.BindPort, true, logSender)
|
||||||
}
|
}
|
||||||
|
|
|
@ -9,6 +9,7 @@ import (
|
||||||
"crypto/elliptic"
|
"crypto/elliptic"
|
||||||
"crypto/rand"
|
"crypto/rand"
|
||||||
"crypto/rsa"
|
"crypto/rsa"
|
||||||
|
"crypto/tls"
|
||||||
"crypto/x509"
|
"crypto/x509"
|
||||||
"encoding/hex"
|
"encoding/hex"
|
||||||
"encoding/pem"
|
"encoding/pem"
|
||||||
|
@ -436,3 +437,18 @@ func HTTPListenAndServe(srv *http.Server, address string, port int, isTLS bool,
|
||||||
}
|
}
|
||||||
return srv.Serve(listener)
|
return srv.Serve(listener)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// GetTLSCiphersFromNames returns the TLS ciphers from the specified names
|
||||||
|
func GetTLSCiphersFromNames(cipherNames []string) []uint16 {
|
||||||
|
var ciphers []uint16
|
||||||
|
|
||||||
|
for _, name := range RemoveDuplicates(cipherNames) {
|
||||||
|
for _, c := range tls.CipherSuites() {
|
||||||
|
if c.Name == strings.TrimSpace(name) {
|
||||||
|
ciphers = append(ciphers, c.ID)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return ciphers
|
||||||
|
}
|
||||||
|
|
|
@ -64,7 +64,11 @@ func (s *webDavServer) listenAndServe(compressor *middleware.Compressor) error {
|
||||||
httpServer.TLSConfig = &tls.Config{
|
httpServer.TLSConfig = &tls.Config{
|
||||||
GetCertificate: certMgr.GetCertificateFunc(),
|
GetCertificate: certMgr.GetCertificateFunc(),
|
||||||
MinVersion: tls.VersionTLS12,
|
MinVersion: tls.VersionTLS12,
|
||||||
|
CipherSuites: utils.GetTLSCiphersFromNames(s.binding.TLSCipherSuites),
|
||||||
|
PreferServerCipherSuites: true,
|
||||||
}
|
}
|
||||||
|
logger.Debug(logSender, "", "configured TLS cipher suites for binding %#v: %v", s.binding.GetAddress(),
|
||||||
|
httpServer.TLSConfig.CipherSuites)
|
||||||
if s.binding.ClientAuthType == 1 {
|
if s.binding.ClientAuthType == 1 {
|
||||||
httpServer.TLSConfig.ClientCAs = certMgr.GetRootCAs()
|
httpServer.TLSConfig.ClientCAs = certMgr.GetRootCAs()
|
||||||
httpServer.TLSConfig.ClientAuth = tls.RequireAndVerifyClientCert
|
httpServer.TLSConfig.ClientAuth = tls.RequireAndVerifyClientCert
|
||||||
|
|
|
@ -75,6 +75,17 @@ type Binding struct {
|
||||||
// set to 1 to require client certificate authentication in addition to basic auth.
|
// set to 1 to require client certificate authentication in addition to basic auth.
|
||||||
// You need to define at least a certificate authority for this to work
|
// You need to define at least a certificate authority for this to work
|
||||||
ClientAuthType int `json:"client_auth_type" mapstructure:"client_auth_type"`
|
ClientAuthType int `json:"client_auth_type" mapstructure:"client_auth_type"`
|
||||||
|
// TLSCipherSuites is a list of supported cipher suites for TLS version 1.2.
|
||||||
|
// If CipherSuites is nil/empty, a default list of secure cipher suites
|
||||||
|
// is used, with a preference order based on hardware performance.
|
||||||
|
// Note that TLS 1.3 ciphersuites are not configurable.
|
||||||
|
// The supported ciphersuites names are defined here:
|
||||||
|
//
|
||||||
|
// https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L52
|
||||||
|
//
|
||||||
|
// any invalid name will be silently ignored.
|
||||||
|
// The order matters, the ciphers listed first will be the preferred ones.
|
||||||
|
TLSCipherSuites []string `json:"tls_cipher_suites" mapstructure:"tls_cipher_suites"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetAddress returns the binding address
|
// GetAddress returns the binding address
|
||||||
|
|
Loading…
Reference in a new issue