diff --git a/server/ciphersuites.go b/server/ciphersuites.go index cbc5a2ff..54d99455 100644 --- a/server/ciphersuites.go +++ b/server/ciphersuites.go @@ -68,30 +68,30 @@ var cipherMapByID = map[uint16]string{ func defaultCipherSuites() []uint16 { return []uint16{ + tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, } } // Where we maintain available curve preferences var curvePreferenceMap = map[string]tls.CurveID{ + "X25519": tls.X25519, "CurveP256": tls.CurveP256, "CurveP384": tls.CurveP384, "CurveP521": tls.CurveP521, - "X25519": tls.X25519, } // reorder to default to the highest level of security. See: // https://blog.bracebin.com/achieving-perfect-ssl-labs-score-with-go func defaultCurvePreferences() []tls.CurveID { return []tls.CurveID{ - tls.CurveP521, - tls.CurveP384, tls.X25519, // faster than P256, arguably more secure tls.CurveP256, + tls.CurveP384, + tls.CurveP521, } } diff --git a/server/opts.go b/server/opts.go index 05ed57a2..7a65032f 100644 --- a/server/opts.go +++ b/server/opts.go @@ -28,7 +28,6 @@ import ( "time" "github.com/nats-io/gnatsd/conf" - "github.com/nats-io/gnatsd/util" ) // ClusterOpts are options for clusters. @@ -120,10 +119,10 @@ func (o *Options) Clone() *Options { } } if o.TLSConfig != nil { - clone.TLSConfig = util.CloneTLSConfig(o.TLSConfig) + clone.TLSConfig = o.TLSConfig.Clone() } if o.Cluster.TLSConfig != nil { - clone.Cluster.TLSConfig = util.CloneTLSConfig(o.Cluster.TLSConfig) + clone.Cluster.TLSConfig = o.Cluster.TLSConfig.Clone() } return clone } @@ -767,14 +766,15 @@ func GenTLSConfig(tc *TLSConfigOpts) (*tls.Config, error) { return nil, fmt.Errorf("error parsing certificate: %v", err) } - // Create TLSConfig + // Create the tls.Config from our options. // We will determine the cipher suites that we prefer. + // FIXME(dlc) change if ARM based. config := tls.Config{ - CurvePreferences: tc.CurvePreferences, - Certificates: []tls.Certificate{cert}, - PreferServerCipherSuites: true, MinVersion: tls.VersionTLS12, CipherSuites: tc.Ciphers, + PreferServerCipherSuites: true, + CurvePreferences: tc.CurvePreferences, + Certificates: []tls.Certificate{cert}, } // Require client certificates as needed diff --git a/server/route.go b/server/route.go index 26ee2415..6f95c0eb 100644 --- a/server/route.go +++ b/server/route.go @@ -26,8 +26,6 @@ import ( "strings" "sync/atomic" "time" - - "github.com/nats-io/gnatsd/util" ) // RouteType designates the router type @@ -578,7 +576,7 @@ func (s *Server) createRoute(conn net.Conn, rURL *url.URL) *client { // Check for TLS if tlsRequired { // Copy off the config to add in ServerName if we - tlsConfig := util.CloneTLSConfig(opts.Cluster.TLSConfig) + tlsConfig := opts.Cluster.TLSConfig.Clone() // If we solicited, we will act like the client, otherwise the server. if didSolicit { diff --git a/server/server.go b/server/server.go index 67dc63f0..2a40e64f 100644 --- a/server/server.go +++ b/server/server.go @@ -35,7 +35,6 @@ import ( _ "net/http/pprof" "github.com/nats-io/gnatsd/logger" - "github.com/nats-io/gnatsd/util" ) // Info is the information sent to clients to help them understand information @@ -669,7 +668,7 @@ func (s *Server) startMonitoring(secure bool) error { port = 0 } hp = net.JoinHostPort(opts.HTTPHost, strconv.Itoa(port)) - config := util.CloneTLSConfig(opts.TLSConfig) + config := opts.TLSConfig.Clone() config.ClientAuth = tls.NoClientCert httpListener, err = tls.Listen("tcp", hp, config) diff --git a/util/tls.go b/util/tls.go deleted file mode 100644 index 87907eeb..00000000 --- a/util/tls.go +++ /dev/null @@ -1,25 +0,0 @@ -// Copyright 2017-2018 The NATS Authors -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -// +build go1.8 - -package util - -import ( - "crypto/tls" -) - -// CloneTLSConfig returns a copy of c. -func CloneTLSConfig(c *tls.Config) *tls.Config { - return c.Clone() -} diff --git a/util/tls_pre17.go b/util/tls_pre17.go deleted file mode 100644 index 99ea32b4..00000000 --- a/util/tls_pre17.go +++ /dev/null @@ -1,47 +0,0 @@ -// Copyright 2017-2018 The NATS Authors -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -// +build go1.5,!go1.7 - -package util - -import ( - "crypto/tls" -) - -// CloneTLSConfig returns a copy of c. Only the exported fields are copied. -// This is temporary, until this is provided by the language. -// https://go-review.googlesource.com/#/c/28075/ -func CloneTLSConfig(c *tls.Config) *tls.Config { - return &tls.Config{ - Rand: c.Rand, - Time: c.Time, - Certificates: c.Certificates, - NameToCertificate: c.NameToCertificate, - GetCertificate: c.GetCertificate, - RootCAs: c.RootCAs, - NextProtos: c.NextProtos, - ServerName: c.ServerName, - ClientAuth: c.ClientAuth, - ClientCAs: c.ClientCAs, - InsecureSkipVerify: c.InsecureSkipVerify, - CipherSuites: c.CipherSuites, - PreferServerCipherSuites: c.PreferServerCipherSuites, - SessionTicketsDisabled: c.SessionTicketsDisabled, - SessionTicketKey: c.SessionTicketKey, - ClientSessionCache: c.ClientSessionCache, - MinVersion: c.MinVersion, - MaxVersion: c.MaxVersion, - CurvePreferences: c.CurvePreferences, - } -} diff --git a/util/tls_pre18.go b/util/tls_pre18.go deleted file mode 100644 index 7df47261..00000000 --- a/util/tls_pre18.go +++ /dev/null @@ -1,49 +0,0 @@ -// Copyright 2017-2018 The NATS Authors -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -// +build go1.7,!go1.8 - -package util - -import ( - "crypto/tls" -) - -// CloneTLSConfig returns a copy of c. Only the exported fields are copied. -// This is temporary, until this is provided by the language. -// https://go-review.googlesource.com/#/c/28075/ -func CloneTLSConfig(c *tls.Config) *tls.Config { - return &tls.Config{ - Rand: c.Rand, - Time: c.Time, - Certificates: c.Certificates, - NameToCertificate: c.NameToCertificate, - GetCertificate: c.GetCertificate, - RootCAs: c.RootCAs, - NextProtos: c.NextProtos, - ServerName: c.ServerName, - ClientAuth: c.ClientAuth, - ClientCAs: c.ClientCAs, - InsecureSkipVerify: c.InsecureSkipVerify, - CipherSuites: c.CipherSuites, - PreferServerCipherSuites: c.PreferServerCipherSuites, - SessionTicketsDisabled: c.SessionTicketsDisabled, - SessionTicketKey: c.SessionTicketKey, - ClientSessionCache: c.ClientSessionCache, - MinVersion: c.MinVersion, - MaxVersion: c.MaxVersion, - CurvePreferences: c.CurvePreferences, - DynamicRecordSizingDisabled: c.DynamicRecordSizingDisabled, - Renegotiation: c.Renegotiation, - } -}