Use hosted JSON guidelines for TLS evaluation

[jvehent]

Howdy folks. Author of the Mozilla TLS guidelines here. Thanks for the great tool! I'm actually looking at using it in a number of Go projects we run.

One improvement I'd suggest to make would be to use the JSON version of the guidelines instead of hardcoding the recommendations. We host the file at https://statics.tls.security.mozilla.org/server-side-tls-conf.json You can refer to it in the code and fall back to hardcoded defaults if the retrieval fails.

As an example, here is how we use the JSON recommendations in the evaluation worker in the TLS Observatory works: https://github.com/mozilla/tls-observatory/blob/master/worker/mozillaEvaluationWorker/mozillaEvaluationWorker.go

[callidus]

That's very handy, we are looking at making it config driven at the moment so this comes at the perfect time. Also thanks a bunch for the TLS guidelines themselves, fantastically useful to have a good checklist to work to.

[gcmurphy]

hmm... I wonder if we could somehow use https://blog.golang.org/generate here to pull down the latest rules at build time so we have a recent copy to fall back on should the mozilla service be unavailable or for offline scans?