From 822a05aa2031b6e73fb58ab0c4e79c5996706380 Mon Sep 17 00:00:00 2001
From: Nicola Murino <nicola.murino@gmail.com>
Date: Wed, 1 Nov 2023 16:39:04 +0100
Subject: [PATCH] TLS ciphers: use a more secure default if no preference is
 specified

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
---
 internal/util/util.go | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/internal/util/util.go b/internal/util/util.go
index 72c2c544..ddea7b4c 100644
--- a/internal/util/util.go
+++ b/internal/util/util.go
@@ -66,6 +66,13 @@ var (
 	// CertsBasePath defines base path for certificates obtained using the built-in ACME protocol.
 	// It is empty is ACME support is disabled
 	CertsBasePath string
+	// Defines the TLS ciphers used by default for TLS 1.0-1.2 if no preference is specified.
+	defaultTLSCiphers = []uint16{
+		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+		tls.TLS_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
+	}
 )
 
 // IEC Sizes.
@@ -613,6 +620,11 @@ func GetTLSCiphersFromNames(cipherNames []string) []uint16 {
 		}
 	}
 
+	if len(ciphers) == 0 {
+		// return a secure default
+		return defaultTLSCiphers
+	}
+
 	return ciphers
 }