From 68ead67a6330953ae3ec3b78b85adae8da4bedf7 Mon Sep 17 00:00:00 2001 From: Aaron Wood Date: Sun, 12 Feb 2017 19:12:07 -0500 Subject: [PATCH] Use very strong ciphers (#4116) * Use very strong ciphers * Remove TLS_RSA_WITH_AES_256_GCM_SHA384 to be compatible with Go 1.5 --- cmd/web.go | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/cmd/web.go b/cmd/web.go index 792d8b675..b0277c250 100644 --- a/cmd/web.go +++ b/cmd/web.go @@ -663,7 +663,17 @@ func runWeb(ctx *cli.Context) error { case setting.SCHEME_HTTP: err = http.ListenAndServe(listenAddr, m) case setting.SCHEME_HTTPS: - server := &http.Server{Addr: listenAddr, TLSConfig: &tls.Config{MinVersion: tls.VersionTLS10}, Handler: m} + server := &http.Server{Addr: listenAddr, TLSConfig: &tls.Config{ + MinVersion: tls.VersionTLS10, + CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256}, + PreferServerCipherSuites: true, + CipherSuites: []uint16{ + tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, // Required for HTTP/2 support. + tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + tls.TLS_RSA_WITH_AES_256_CBC_SHA, + }, + }, Handler: m} err = server.ListenAndServeTLS(setting.CertFile, setting.KeyFile) case setting.SCHEME_FCGI: err = fcgi.Serve(nil, m)