beenull/sftpgo
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

TLS ciphers: use a more secure default if no preference is specified

Browse source 
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
This commit is contained in:
Nicola Murino 2023-11-01 16:39:04 +01:00
parent 4139c79a77
commit 822a05aa20
No known key found for this signature in database
GPG key ID: 935D2952DEC4EECF
1 changed files with 12 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
internal/util/util.go
View file

@ -66,6 +66,13 @@ var (
// CertsBasePath defines base path for certificates obtained using the built-in ACME protocol.
// It is empty is ACME support is disabled
CertsBasePath string
// Defines the TLS ciphers used by default for TLS 1.0-1.2 if no preference is specified.
defaultTLSCiphers = []uint16{
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
tls.TLS_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
}
)
// IEC Sizes.
@ -613,6 +620,11 @@ func GetTLSCiphersFromNames(cipherNames []string) []uint16 {
}
}
if len(ciphers) == 0 {
// return a secure default
return defaultTLSCiphers
}
return ciphers
}