tls: restrict tls cipher suites

golang will not turn them off by default: golang/go#13385 Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
rchincha · Mar 2, 2022 · 57bcae3 · 57bcae3
1 parent 45968e0
commit 57bcae3
Showing 1 changed file with 19 additions and 2 deletions.
diff --git a/pkg/api/controller.go b/pkg/api/controller.go
@@ -182,8 +182,25 @@ func (c *Controller) Run() error {
 			}
 
 			server.TLSConfig = &tls.Config{
-				ClientAuth:               clientAuth,
-				ClientCAs:                caCertPool,
+				ClientAuth: clientAuth,
+				ClientCAs:  caCertPool,
+				CipherSuites: []uint16{
+					tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+					tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+					// tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, // Go 1.8 only
+					// tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,   // Go 1.8 only
+					tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+					tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+
+					// Best disabled, as they don't provide Forward Secrecy,
+					// but might be necessary for some clients
+					// tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
+					// tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
+				},
+				CurvePreferences: []tls.CurveID{
+					tls.CurveP256,
+					// tls.X25519, // Go 1.8 only
+				},
 				PreferServerCipherSuites: true,
 				MinVersion:               tls.VersionTLS12,
 			}