feat(common.tls): Allow group aliases for ciphersuites (#15570)
This commit is contained in:
Sven Rebhan
GitHub
parent
95a17d9d9c
commit
5119c7182f
|
|
@ -14,8 +14,10 @@
|
|||
## Minimal TLS version to accept by the client
|
||||
# tls_min_version = "TLS12"
|
||||
## List of ciphers to accept, by default all secure ciphers will be accepted
|
||||
## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values
|
||||
# tls_cipher_suites = []
|
||||
## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values.
|
||||
## Use "all", "secure" and "insecure" to add all support ciphers, secure
|
||||
## suites or insecure suites respectively.
|
||||
# tls_cipher_suites = ["secure"]
|
||||
## Renegotiation method, "never", "once" or "freely"
|
||||
# tls_renegotiation_method = "never"
|
||||
## Use TLS but skip chain & host verification
|
||||
|
|
|
|||
|
|
@ -41,17 +41,57 @@ func Ciphers() (secure, insecure []string) {
|
|||
func ParseCiphers(ciphers []string) ([]uint16, error) {
|
||||
suites := []uint16{}
|
||||
|
||||
added := make(map[uint16]bool, len(ciphers))
|
||||
for _, c := range ciphers {
|
||||
cipher := strings.ToUpper(c)
|
||||
id, ok := tlsCipherMapSecure[cipher]
|
||||
if !ok {
|
||||
idInsecure, ok := tlsCipherMapInsecure[cipher]
|
||||
if !ok {
|
||||
return nil, fmt.Errorf("%q %w", cipher, ErrCipherUnsupported)
|
||||
// Handle meta-keywords
|
||||
switch c {
|
||||
case "all":
|
||||
for _, id := range tlsCipherMapInsecure {
|
||||
if added[id] {
|
||||
continue
|
||||
}
|
||||
suites = append(suites, id)
|
||||
added[id] = true
|
||||
}
|
||||
id = idInsecure
|
||||
for _, id := range tlsCipherMapSecure {
|
||||
if added[id] {
|
||||
continue
|
||||
}
|
||||
suites = append(suites, id)
|
||||
added[id] = true
|
||||
}
|
||||
case "insecure":
|
||||
for _, id := range tlsCipherMapInsecure {
|
||||
if added[id] {
|
||||
continue
|
||||
}
|
||||
suites = append(suites, id)
|
||||
added[id] = true
|
||||
}
|
||||
case "secure":
|
||||
for _, id := range tlsCipherMapSecure {
|
||||
if added[id] {
|
||||
continue
|
||||
}
|
||||
suites = append(suites, id)
|
||||
added[id] = true
|
||||
}
|
||||
default:
|
||||
cipher := strings.ToUpper(c)
|
||||
id, ok := tlsCipherMapSecure[cipher]
|
||||
if !ok {
|
||||
idInsecure, ok := tlsCipherMapInsecure[cipher]
|
||||
if !ok {
|
||||
return nil, fmt.Errorf("%q %w", cipher, ErrCipherUnsupported)
|
||||
}
|
||||
id = idInsecure
|
||||
}
|
||||
if added[id] {
|
||||
continue
|
||||
}
|
||||
suites = append(suites, id)
|
||||
added[id] = true
|
||||
}
|
||||
suites = append(suites, id)
|
||||
}
|
||||
|
||||
return suites, nil
|
||||
|
|
|
|||
|
|
@ -108,8 +108,10 @@ details on how to use them.
|
|||
## Minimal TLS version to accept by the client
|
||||
# tls_min_version = "TLS12"
|
||||
## List of ciphers to accept, by default all secure ciphers will be accepted
|
||||
## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values
|
||||
# tls_cipher_suites = []
|
||||
## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values.
|
||||
## Use "all", "secure" and "insecure" to add all support ciphers, secure
|
||||
## suites or insecure suites respectively.
|
||||
# tls_cipher_suites = ["secure"]
|
||||
## Renegotiation method, "never", "once" or "freely"
|
||||
# tls_renegotiation_method = "never"
|
||||
## Use TLS but skip chain & host verification
|
||||
|
|
|
|||
|
|
@ -61,8 +61,10 @@
|
|||
## Minimal TLS version to accept by the client
|
||||
# tls_min_version = "TLS12"
|
||||
## List of ciphers to accept, by default all secure ciphers will be accepted
|
||||
## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values
|
||||
# tls_cipher_suites = []
|
||||
## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values.
|
||||
## Use "all", "secure" and "insecure" to add all support ciphers, secure
|
||||
## suites or insecure suites respectively.
|
||||
# tls_cipher_suites = ["secure"]
|
||||
## Renegotiation method, "never", "once" or "freely"
|
||||
# tls_renegotiation_method = "never"
|
||||
## Use TLS but skip chain & host verification
|
||||
|
|
|
|||
|
|
@ -84,8 +84,10 @@ to use them.
|
|||
## Minimal TLS version to accept by the client
|
||||
# tls_min_version = "TLS12"
|
||||
## List of ciphers to accept, by default all secure ciphers will be accepted
|
||||
## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values
|
||||
# tls_cipher_suites = []
|
||||
## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values.
|
||||
## Use "all", "secure" and "insecure" to add all support ciphers, secure
|
||||
## suites or insecure suites respectively.
|
||||
# tls_cipher_suites = ["secure"]
|
||||
## Renegotiation method, "never", "once" or "freely"
|
||||
# tls_renegotiation_method = "never"
|
||||
## Use TLS but skip chain & host verification
|
||||
|
|
|
|||
|
|
@ -55,8 +55,10 @@
|
|||
## Minimal TLS version to accept by the client
|
||||
# tls_min_version = "TLS12"
|
||||
## List of ciphers to accept, by default all secure ciphers will be accepted
|
||||
## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values
|
||||
# tls_cipher_suites = []
|
||||
## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values.
|
||||
## Use "all", "secure" and "insecure" to add all support ciphers, secure
|
||||
## suites or insecure suites respectively.
|
||||
# tls_cipher_suites = ["secure"]
|
||||
## Renegotiation method, "never", "once" or "freely"
|
||||
# tls_renegotiation_method = "never"
|
||||
## Use TLS but skip chain & host verification
|
||||
|
|
|
|||
|
|
@ -55,8 +55,10 @@ See the [CONFIGURATION.md][CONFIGURATION.md] for more details.
|
|||
## Minimal TLS version to accept by the client
|
||||
# tls_min_version = "TLS12"
|
||||
## List of ciphers to accept, by default all secure ciphers will be accepted
|
||||
## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values
|
||||
# tls_cipher_suites = []
|
||||
## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values.
|
||||
## Use "all", "secure" and "insecure" to add all support ciphers, secure
|
||||
## suites or insecure suites respectively.
|
||||
# tls_cipher_suites = ["secure"]
|
||||
## Renegotiation method, "never", "once" or "freely"
|
||||
# tls_renegotiation_method = "never"
|
||||
## Use TLS but skip chain & host verification
|
||||
|
|
|
|||
|
|
@ -37,8 +37,10 @@
|
|||
## Minimal TLS version to accept by the client
|
||||
# tls_min_version = "TLS12"
|
||||
## List of ciphers to accept, by default all secure ciphers will be accepted
|
||||
## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values
|
||||
# tls_cipher_suites = []
|
||||
## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values.
|
||||
## Use "all", "secure" and "insecure" to add all support ciphers, secure
|
||||
## suites or insecure suites respectively.
|
||||
# tls_cipher_suites = ["secure"]
|
||||
## Renegotiation method, "never", "once" or "freely"
|
||||
# tls_renegotiation_method = "never"
|
||||
## Use TLS but skip chain & host verification
|
||||
|
|
|
|||
Loading…
Reference in New Issue