Use better ciphers available under 1.5

2026-04-02 11:48:43 -07:00 · 2015-11-22 08:29:18 -08:00
parent 5753e94bbd
commit ef43c19fce
3 changed files with 37 additions and 7 deletions
--- a/server/ciphersuites_1.4.go
+++ b/server/ciphersuites_1.4.go
@@ -0,0 +1,16 @@
+// Copyright 2015 Apcera Inc. All rights reserved.
+
+// +build go1.4,!go1.5
+
+package server
+
+import (
+	"crypto/tls"
+)
+
+func defaultCipherSuites() []uint16 {
+	return []uint16{
+		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+	}
+}
--- a/server/ciphersuites_1.5.go
+++ b/server/ciphersuites_1.5.go
@@ -0,0 +1,19 @@
+// Copyright 2015 Apcera Inc. All rights reserved.
+
+// +build go1.5
+
+package server
+
+import (
+	"crypto/tls"
+)
+
+func defaultCipherSuites() []uint16 {
+	return []uint16{
+		// The SHA384 versions are only in Go1.5
+		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+	}
+}
--- a/server/opts.go
+++ b/server/opts.go
@@ -244,17 +244,12 @@ func parseTLS(tlsm map[string]interface{}) (*tls.Config, error) {
 	}
 	// Create TLSConfig
 	// We will determine the cipher suites that we prefer.
+
 	config := tls.Config{
 		Certificates:             []tls.Certificate{cert},
 		PreferServerCipherSuites: true,
 		MinVersion:               tls.VersionTLS12,
-		CipherSuites: []uint16{
-			// The SHA384 versions are only in Go1.5
-			//			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-			//			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-		},
+		CipherSuites:             defaultCipherSuites(),
 	}
 	// Require client certificates as needed
 	if tc.verify == true {