Browse Source

Allow configurable HTTPS SSL/TLS version(#4451)

pull/4527/head
spacetourist 8 years ago committed by 无闻
parent
commit
0a6ceabb9b
  1. 15
      cmd/web.go
  2. 7
      conf/app.ini
  3. 2
      pkg/setting/setting.go

15
cmd/web.go

@ -672,8 +672,21 @@ func runWeb(ctx *cli.Context) error {
case setting.SCHEME_HTTP: case setting.SCHEME_HTTP:
err = http.ListenAndServe(listenAddr, m) err = http.ListenAndServe(listenAddr, m)
case setting.SCHEME_HTTPS: case setting.SCHEME_HTTPS:
var tlsMinVersion uint16
switch setting.TLSMinVersion {
case "SSL30":
tlsMinVersion = tls.VersionSSL30
case "TLS12":
tlsMinVersion = tls.VersionTLS12
case "TLS11":
tlsMinVersion = tls.VersionTLS11
case "TLS10":
fallthrough
default:
tlsMinVersion = tls.VersionTLS10
}
server := &http.Server{Addr: listenAddr, TLSConfig: &tls.Config{ server := &http.Server{Addr: listenAddr, TLSConfig: &tls.Config{
MinVersion: tls.VersionTLS10, MinVersion: tlsMinVersion,
CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256}, CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
PreferServerCipherSuites: true, PreferServerCipherSuites: true,
CipherSuites: []uint16{ CipherSuites: []uint16{

7
conf/app.ini

@ -56,6 +56,9 @@ DISABLE_ROUTER_LOG = false
; $ openssl pkcs12 -in cert.pfx -out key.pem -nocerts -nodes ; $ openssl pkcs12 -in cert.pfx -out key.pem -nocerts -nodes
CERT_FILE = custom/https/cert.pem CERT_FILE = custom/https/cert.pem
KEY_FILE = custom/https/key.pem KEY_FILE = custom/https/key.pem
; Allowed TLS version values: SSL30, TLS10, TLS11, TLS12
TLS_MIN_VERSION = TLS10
; Upper level of template and static file path ; Upper level of template and static file path
; default is the path where Gogs is executed ; default is the path where Gogs is executed
STATIC_ROOT_PATH = STATIC_ROOT_PATH =
@ -148,7 +151,7 @@ ANGLED_QUOTES = true
[http] [http]
; Value for Access-Control-Allow-Origin header, default is not to present ; Value for Access-Control-Allow-Origin header, default is not to present
ACCESS_CONTROL_ALLOW_ORIGIN = ACCESS_CONTROL_ALLOW_ORIGIN =
; Define allowed algorithms and their minimum key length (use -1 to disable a type) ; Define allowed algorithms and their minimum key length (use -1 to disable a type)
[ssh.minimum_key_sizes] [ssh.minimum_key_sizes]
@ -346,7 +349,7 @@ MAX_DAYS = 7
; leave empty to inherit ; leave empty to inherit
LEVEL = LEVEL =
; Webhook URL ; Webhook URL
URL = URL =
[log.xorm] [log.xorm]
; Enable file rotation ; Enable file rotation

2
pkg/setting/setting.go

@ -69,6 +69,7 @@ var (
OfflineMode bool OfflineMode bool
DisableRouterLog bool DisableRouterLog bool
CertFile, KeyFile string CertFile, KeyFile string
TLSMinVersion string
StaticRootPath string StaticRootPath string
EnableGzip bool EnableGzip bool
LandingPageURL LandingPage LandingPageURL LandingPage
@ -438,6 +439,7 @@ func NewContext() {
Protocol = SCHEME_HTTPS Protocol = SCHEME_HTTPS
CertFile = sec.Key("CERT_FILE").String() CertFile = sec.Key("CERT_FILE").String()
KeyFile = sec.Key("KEY_FILE").String() KeyFile = sec.Key("KEY_FILE").String()
TLSMinVersion = sec.Key("TLS_MIN_VERSION").String()
} else if sec.Key("PROTOCOL").String() == "fcgi" { } else if sec.Key("PROTOCOL").String() == "fcgi" {
Protocol = SCHEME_FCGI Protocol = SCHEME_FCGI
} else if sec.Key("PROTOCOL").String() == "unix" { } else if sec.Key("PROTOCOL").String() == "unix" {

Loading…
Cancel
Save