Make SSL cipher suite configurable (#17440)

author: zeripath <art27@cantab.net> 2021-11-20 06:12:43 +0000
committer: GitHub <noreply@github.com> 2021-11-20 01:12:43 -0500
commit: c96be0cd982255f20a3fe6ff4683115b8073e65e (patch)
tree: 3b5c31858438becb2a8a24557c419de9fa085e2a /cmd/web_letsencrypt.go
parent: 9f14fe43c6de96ce7cf81c87620fcd50e086910c (diff)
download: gitea-c96be0cd982255f20a3fe6ff4683115b8073e65e.tar.gz
gitea-c96be0cd982255f20a3fe6ff4683115b8073e65e.zip
1 files changed, 17 insertions, 0 deletions
diff --git a/cmd/web_letsencrypt.go b/cmd/web_letsencrypt.go
index 096db36b24..066208457b 100644
--- a/cmd/web_letsencrypt.go
+++ b/cmd/web_letsencrypt.go
@@ -55,6 +55,23 @@ func runLetsEncrypt(listenAddr, domain, directory, email string, m http.Handler)
 	tlsConfig := magic.TLSConfig()
 	tlsConfig.NextProtos = append(tlsConfig.NextProtos, "h2")
 
+	if version := toTLSVersion(setting.SSLMinimumVersion); version != 0 {
+		tlsConfig.MinVersion = version
+	}
+	if version := toTLSVersion(setting.SSLMaximumVersion); version != 0 {
+		tlsConfig.MaxVersion = version
+	}
+
+	// Set curve preferences
+	if curves := toCurvePreferences(setting.SSLCurvePreferences); len(curves) > 0 {
+		tlsConfig.CurvePreferences = curves
+	}
+
+	// Set cipher suites
+	if ciphers := toTLSCiphers(setting.SSLCipherSuites); len(ciphers) > 0 {
+		tlsConfig.CipherSuites = ciphers
+	}
+
 	if enableHTTPChallenge {
 		go func() {
 			log.Info("Running Let's Encrypt handler on %s", setting.HTTPAddr+":"+setting.PortToRedirect)
author	zeripath <art27@cantab.net>	2021-11-20 06:12:43 +0000
committer	GitHub <noreply@github.com>	2021-11-20 01:12:43 -0500
commit	c96be0cd982255f20a3fe6ff4683115b8073e65e (patch)
tree	3b5c31858438becb2a8a24557c419de9fa085e2a /cmd/web_letsencrypt.go
parent	9f14fe43c6de96ce7cf81c87620fcd50e086910c (diff)
download	gitea-c96be0cd982255f20a3fe6ff4683115b8073e65e.tar.gz gitea-c96be0cd982255f20a3fe6ff4683115b8073e65e.zip