app/tls: Update configs used by SimpleTLSConfig

Set minimum TLS version to TLS 1.3
canonical · Mar 6, 2023 · da7e7e0 · da7e7e0
1 parent 2ef0aa7
commit da7e7e0
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 21 deletions.
diff --git a/app/tls.go b/app/tls.go
@@ -4,8 +4,6 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
-
-	"github.com/canonical/go-dqlite/internal/protocol"
 )
 
 // SimpleTLSConfig returns a pair of TLS configuration objects with sane
@@ -61,12 +59,9 @@ func SimpleTLSConfig(cert tls.Certificate, pool *x509.CertPool) (*tls.Config, *t
 // The returned config can be used as "listen" parameter for the WithTLS
 // option.
 func SimpleListenTLSConfig(cert tls.Certificate, pool *x509.CertPool) *tls.Config {
-	// See https://github.com/denji/golang-tls
 	config := &tls.Config{
-		MinVersion:               tls.VersionTLS12,
-		CipherSuites:             protocol.TLSCipherSuites,
+		MinVersion:               tls.VersionTLS13,
 		PreferServerCipherSuites: true,
-		CurvePreferences:         []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
 		Certificates:             []tls.Certificate{cert},
 		RootCAs:                  pool,
 		ClientCAs:                pool,
@@ -98,8 +93,7 @@ func SimpleListenTLSConfig(cert tls.Certificate, pool *x509.CertPool) *tls.Confi
 // nil.
 func SimpleDialTLSConfig(cert tls.Certificate, pool *x509.CertPool) *tls.Config {
 	config := &tls.Config{
-		MinVersion:               tls.VersionTLS12,
-		CipherSuites:             protocol.TLSCipherSuites,
+		MinVersion:               tls.VersionTLS13,
 		PreferServerCipherSuites: true,
 		RootCAs:                  pool,
 		Certificates:             []tls.Certificate{cert},

diff --git a/internal/protocol/dial.go b/internal/protocol/dial.go
@@ -2,7 +2,6 @@ package protocol
 
 import (
 	"context"
-	"crypto/tls"
 	"net"
 	"strings"
 )
@@ -16,15 +15,3 @@ func Dial(ctx context.Context, address string) (net.Conn, error) {
 	dialer := net.Dialer{}
 	return dialer.DialContext(ctx, family, address)
 }
-
-// TLSCipherSuites are the cipher suites by the go-dqlite TLS helpers.
-var TLSCipherSuites = []uint16{
-	tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-	tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-	tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-	tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-	tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
-	tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
-	tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
-	tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
-}