feat(common.tls): Allow group aliases for ciphersuites (#15570)
This commit is contained in:
Sven Rebhan
GitHub
parent
95a17d9d9c
commit
5119c7182f
|
|
@ -14,8 +14,10 @@
|
||||||
## Minimal TLS version to accept by the client
|
## Minimal TLS version to accept by the client
|
||||||
# tls_min_version = "TLS12"
|
# tls_min_version = "TLS12"
|
||||||
## List of ciphers to accept, by default all secure ciphers will be accepted
|
## List of ciphers to accept, by default all secure ciphers will be accepted
|
||||||
## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values
|
## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values.
|
||||||
# tls_cipher_suites = []
|
## Use "all", "secure" and "insecure" to add all support ciphers, secure
|
||||||
|
## suites or insecure suites respectively.
|
||||||
|
# tls_cipher_suites = ["secure"]
|
||||||
## Renegotiation method, "never", "once" or "freely"
|
## Renegotiation method, "never", "once" or "freely"
|
||||||
# tls_renegotiation_method = "never"
|
# tls_renegotiation_method = "never"
|
||||||
## Use TLS but skip chain & host verification
|
## Use TLS but skip chain & host verification
|
||||||
|
|
|
||||||
|
|
@ -41,17 +41,57 @@ func Ciphers() (secure, insecure []string) {
|
||||||
func ParseCiphers(ciphers []string) ([]uint16, error) {
|
func ParseCiphers(ciphers []string) ([]uint16, error) {
|
||||||
suites := []uint16{}
|
suites := []uint16{}
|
||||||
|
|
||||||
|
added := make(map[uint16]bool, len(ciphers))
|
||||||
for _, c := range ciphers {
|
for _, c := range ciphers {
|
||||||
cipher := strings.ToUpper(c)
|
// Handle meta-keywords
|
||||||
id, ok := tlsCipherMapSecure[cipher]
|
switch c {
|
||||||
if !ok {
|
case "all":
|
||||||
idInsecure, ok := tlsCipherMapInsecure[cipher]
|
for _, id := range tlsCipherMapInsecure {
|
||||||
if !ok {
|
if added[id] {
|
||||||
return nil, fmt.Errorf("%q %w", cipher, ErrCipherUnsupported)
|
continue
|
||||||
|
}
|
||||||
|
suites = append(suites, id)
|
||||||
|
added[id] = true
|
||||||
}
|
}
|
||||||
id = idInsecure
|
for _, id := range tlsCipherMapSecure {
|
||||||
|
if added[id] {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
suites = append(suites, id)
|
||||||
|
added[id] = true
|
||||||
|
}
|
||||||
|
case "insecure":
|
||||||
|
for _, id := range tlsCipherMapInsecure {
|
||||||
|
if added[id] {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
suites = append(suites, id)
|
||||||
|
added[id] = true
|
||||||
|
}
|
||||||
|
case "secure":
|
||||||
|
for _, id := range tlsCipherMapSecure {
|
||||||
|
if added[id] {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
suites = append(suites, id)
|
||||||
|
added[id] = true
|
||||||
|
}
|
||||||
|
default:
|
||||||
|
cipher := strings.ToUpper(c)
|
||||||
|
id, ok := tlsCipherMapSecure[cipher]
|
||||||
|
if !ok {
|
||||||
|
idInsecure, ok := tlsCipherMapInsecure[cipher]
|
||||||
|
if !ok {
|
||||||
|
return nil, fmt.Errorf("%q %w", cipher, ErrCipherUnsupported)
|
||||||
|
}
|
||||||
|
id = idInsecure
|
||||||
|
}
|
||||||
|
if added[id] {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
suites = append(suites, id)
|
||||||
|
added[id] = true
|
||||||
}
|
}
|
||||||
suites = append(suites, id)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return suites, nil
|
return suites, nil
|
||||||
|
|
|
||||||
|
|
@ -108,8 +108,10 @@ details on how to use them.
|
||||||
## Minimal TLS version to accept by the client
|
## Minimal TLS version to accept by the client
|
||||||
# tls_min_version = "TLS12"
|
# tls_min_version = "TLS12"
|
||||||
## List of ciphers to accept, by default all secure ciphers will be accepted
|
## List of ciphers to accept, by default all secure ciphers will be accepted
|
||||||
## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values
|
## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values.
|
||||||
# tls_cipher_suites = []
|
## Use "all", "secure" and "insecure" to add all support ciphers, secure
|
||||||
|
## suites or insecure suites respectively.
|
||||||
|
# tls_cipher_suites = ["secure"]
|
||||||
## Renegotiation method, "never", "once" or "freely"
|
## Renegotiation method, "never", "once" or "freely"
|
||||||
# tls_renegotiation_method = "never"
|
# tls_renegotiation_method = "never"
|
||||||
## Use TLS but skip chain & host verification
|
## Use TLS but skip chain & host verification
|
||||||
|
|
|
||||||
|
|
@ -61,8 +61,10 @@
|
||||||
## Minimal TLS version to accept by the client
|
## Minimal TLS version to accept by the client
|
||||||
# tls_min_version = "TLS12"
|
# tls_min_version = "TLS12"
|
||||||
## List of ciphers to accept, by default all secure ciphers will be accepted
|
## List of ciphers to accept, by default all secure ciphers will be accepted
|
||||||
## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values
|
## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values.
|
||||||
# tls_cipher_suites = []
|
## Use "all", "secure" and "insecure" to add all support ciphers, secure
|
||||||
|
## suites or insecure suites respectively.
|
||||||
|
# tls_cipher_suites = ["secure"]
|
||||||
## Renegotiation method, "never", "once" or "freely"
|
## Renegotiation method, "never", "once" or "freely"
|
||||||
# tls_renegotiation_method = "never"
|
# tls_renegotiation_method = "never"
|
||||||
## Use TLS but skip chain & host verification
|
## Use TLS but skip chain & host verification
|
||||||
|
|
|
||||||
|
|
@ -84,8 +84,10 @@ to use them.
|
||||||
## Minimal TLS version to accept by the client
|
## Minimal TLS version to accept by the client
|
||||||
# tls_min_version = "TLS12"
|
# tls_min_version = "TLS12"
|
||||||
## List of ciphers to accept, by default all secure ciphers will be accepted
|
## List of ciphers to accept, by default all secure ciphers will be accepted
|
||||||
## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values
|
## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values.
|
||||||
# tls_cipher_suites = []
|
## Use "all", "secure" and "insecure" to add all support ciphers, secure
|
||||||
|
## suites or insecure suites respectively.
|
||||||
|
# tls_cipher_suites = ["secure"]
|
||||||
## Renegotiation method, "never", "once" or "freely"
|
## Renegotiation method, "never", "once" or "freely"
|
||||||
# tls_renegotiation_method = "never"
|
# tls_renegotiation_method = "never"
|
||||||
## Use TLS but skip chain & host verification
|
## Use TLS but skip chain & host verification
|
||||||
|
|
|
||||||
|
|
@ -55,8 +55,10 @@
|
||||||
## Minimal TLS version to accept by the client
|
## Minimal TLS version to accept by the client
|
||||||
# tls_min_version = "TLS12"
|
# tls_min_version = "TLS12"
|
||||||
## List of ciphers to accept, by default all secure ciphers will be accepted
|
## List of ciphers to accept, by default all secure ciphers will be accepted
|
||||||
## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values
|
## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values.
|
||||||
# tls_cipher_suites = []
|
## Use "all", "secure" and "insecure" to add all support ciphers, secure
|
||||||
|
## suites or insecure suites respectively.
|
||||||
|
# tls_cipher_suites = ["secure"]
|
||||||
## Renegotiation method, "never", "once" or "freely"
|
## Renegotiation method, "never", "once" or "freely"
|
||||||
# tls_renegotiation_method = "never"
|
# tls_renegotiation_method = "never"
|
||||||
## Use TLS but skip chain & host verification
|
## Use TLS but skip chain & host verification
|
||||||
|
|
|
||||||
|
|
@ -55,8 +55,10 @@ See the [CONFIGURATION.md][CONFIGURATION.md] for more details.
|
||||||
## Minimal TLS version to accept by the client
|
## Minimal TLS version to accept by the client
|
||||||
# tls_min_version = "TLS12"
|
# tls_min_version = "TLS12"
|
||||||
## List of ciphers to accept, by default all secure ciphers will be accepted
|
## List of ciphers to accept, by default all secure ciphers will be accepted
|
||||||
## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values
|
## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values.
|
||||||
# tls_cipher_suites = []
|
## Use "all", "secure" and "insecure" to add all support ciphers, secure
|
||||||
|
## suites or insecure suites respectively.
|
||||||
|
# tls_cipher_suites = ["secure"]
|
||||||
## Renegotiation method, "never", "once" or "freely"
|
## Renegotiation method, "never", "once" or "freely"
|
||||||
# tls_renegotiation_method = "never"
|
# tls_renegotiation_method = "never"
|
||||||
## Use TLS but skip chain & host verification
|
## Use TLS but skip chain & host verification
|
||||||
|
|
|
||||||
|
|
@ -37,8 +37,10 @@
|
||||||
## Minimal TLS version to accept by the client
|
## Minimal TLS version to accept by the client
|
||||||
# tls_min_version = "TLS12"
|
# tls_min_version = "TLS12"
|
||||||
## List of ciphers to accept, by default all secure ciphers will be accepted
|
## List of ciphers to accept, by default all secure ciphers will be accepted
|
||||||
## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values
|
## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values.
|
||||||
# tls_cipher_suites = []
|
## Use "all", "secure" and "insecure" to add all support ciphers, secure
|
||||||
|
## suites or insecure suites respectively.
|
||||||
|
# tls_cipher_suites = ["secure"]
|
||||||
## Renegotiation method, "never", "once" or "freely"
|
## Renegotiation method, "never", "once" or "freely"
|
||||||
# tls_renegotiation_method = "never"
|
# tls_renegotiation_method = "never"
|
||||||
## Use TLS but skip chain & host verification
|
## Use TLS but skip chain & host verification
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue