diff options
author | zeripath <art27@cantab.net> | 2021-11-20 06:12:43 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-11-20 01:12:43 -0500 |
commit | c96be0cd982255f20a3fe6ff4683115b8073e65e (patch) | |
tree | 3b5c31858438becb2a8a24557c419de9fa085e2a /modules | |
parent | 9f14fe43c6de96ce7cf81c87620fcd50e086910c (diff) | |
download | gitea-c96be0cd982255f20a3fe6ff4683115b8073e65e.tar.gz gitea-c96be0cd982255f20a3fe6ff4683115b8073e65e.zip |
Make SSL cipher suite configurable (#17440)
Diffstat (limited to 'modules')
-rw-r--r-- | modules/graceful/server.go | 40 | ||||
-rw-r--r-- | modules/graceful/server_http.go | 7 | ||||
-rw-r--r-- | modules/setting/setting.go | 8 |
3 files changed, 11 insertions, 44 deletions
diff --git a/modules/graceful/server.go b/modules/graceful/server.go index f7ec791d85..159a9879df 100644 --- a/modules/graceful/server.go +++ b/modules/graceful/server.go @@ -95,48 +95,14 @@ func (srv *Server) ListenAndServe(serve ServeFunction) error { return srv.Serve(serve) } -// ListenAndServeTLS listens on the provided network address and then calls -// Serve to handle requests on incoming TLS connections. -// -// Filenames containing a certificate and matching private key for the server must -// be provided. If the certificate is signed by a certificate authority, the -// certFile should be the concatenation of the server's certificate followed by the -// CA's certificate. -func (srv *Server) ListenAndServeTLS(certFile, keyFile string, serve ServeFunction) error { - config := &tls.Config{} - if config.NextProtos == nil { - config.NextProtos = []string{"h2", "http/1.1"} - } - - config.Certificates = make([]tls.Certificate, 1) - - certPEMBlock, err := os.ReadFile(certFile) - if err != nil { - log.Error("Failed to load https cert file %s for %s:%s: %v", certFile, srv.network, srv.address, err) - return err - } - - keyPEMBlock, err := os.ReadFile(keyFile) - if err != nil { - log.Error("Failed to load https key file %s for %s:%s: %v", keyFile, srv.network, srv.address, err) - return err - } - - config.Certificates[0], err = tls.X509KeyPair(certPEMBlock, keyPEMBlock) - if err != nil { - log.Error("Failed to create certificate from cert file %s and key file %s for %s:%s: %v", certFile, keyFile, srv.network, srv.address, err) - return err - } - - return srv.ListenAndServeTLSConfig(config, serve) -} - // ListenAndServeTLSConfig listens on the provided network address and then calls // Serve to handle requests on incoming TLS connections. func (srv *Server) ListenAndServeTLSConfig(tlsConfig *tls.Config, serve ServeFunction) error { go srv.awaitShutdown() - tlsConfig.MinVersion = tls.VersionTLS12 + if tlsConfig.MinVersion == 0 { + tlsConfig.MinVersion = tls.VersionTLS12 + } l, err := GetListener(srv.network, srv.address) if err != nil { diff --git a/modules/graceful/server_http.go b/modules/graceful/server_http.go index 4471e379ef..f7b22ceb5e 100644 --- a/modules/graceful/server_http.go +++ b/modules/graceful/server_http.go @@ -33,13 +33,6 @@ func HTTPListenAndServe(network, address, name string, handler http.Handler) err return server.ListenAndServe(lHandler) } -// HTTPListenAndServeTLS listens on the provided network address and then calls Serve -// to handle requests on incoming connections. -func HTTPListenAndServeTLS(network, address, name, certFile, keyFile string, handler http.Handler) error { - server, lHandler := newHTTPServer(network, address, name, handler) - return server.ListenAndServeTLS(certFile, keyFile, lHandler) -} - // HTTPListenAndServeTLSConfig listens on the provided network address and then calls Serve // to handle requests on incoming connections. func HTTPListenAndServeTLSConfig(network, address, name string, tlsConfig *tls.Config, handler http.Handler) error { diff --git a/modules/setting/setting.go b/modules/setting/setting.go index c5608c85bc..16ebde1791 100644 --- a/modules/setting/setting.go +++ b/modules/setting/setting.go @@ -114,6 +114,10 @@ var ( LetsEncryptTOS bool LetsEncryptDirectory string LetsEncryptEmail string + SSLMinimumVersion string + SSLMaximumVersion string + SSLCurvePreferences []string + SSLCipherSuites []string GracefulRestartable bool GracefulHammerTime time.Duration StartupTimeout time.Duration @@ -618,6 +622,10 @@ func NewContext() { } LetsEncryptDirectory = sec.Key("LETSENCRYPT_DIRECTORY").MustString("https") LetsEncryptEmail = sec.Key("LETSENCRYPT_EMAIL").MustString("") + SSLMinimumVersion = sec.Key("SSL_MIN_VERSION").MustString("") + SSLMaximumVersion = sec.Key("SSL_MAX_VERSION").MustString("") + SSLCurvePreferences = sec.Key("SSL_CURVE_PREFERENCES").Strings(",") + SSLCipherSuites = sec.Key("SSL_CIPHER_SUITES").Strings(",") Domain = sec.Key("DOMAIN").MustString("localhost") HTTPAddr = sec.Key("HTTP_ADDR").MustString("0.0.0.0") HTTPPort = sec.Key("HTTP_PORT").MustString("3000") |