summaryrefslogtreecommitdiffstats
path: root/modules
diff options
context:
space:
mode:
authorzeripath <art27@cantab.net>2021-11-20 06:12:43 +0000
committerGitHub <noreply@github.com>2021-11-20 01:12:43 -0500
commitc96be0cd982255f20a3fe6ff4683115b8073e65e (patch)
tree3b5c31858438becb2a8a24557c419de9fa085e2a /modules
parent9f14fe43c6de96ce7cf81c87620fcd50e086910c (diff)
downloadgitea-c96be0cd982255f20a3fe6ff4683115b8073e65e.tar.gz
gitea-c96be0cd982255f20a3fe6ff4683115b8073e65e.zip
Make SSL cipher suite configurable (#17440)
Diffstat (limited to 'modules')
-rw-r--r--modules/graceful/server.go40
-rw-r--r--modules/graceful/server_http.go7
-rw-r--r--modules/setting/setting.go8
3 files changed, 11 insertions, 44 deletions
diff --git a/modules/graceful/server.go b/modules/graceful/server.go
index f7ec791d85..159a9879df 100644
--- a/modules/graceful/server.go
+++ b/modules/graceful/server.go
@@ -95,48 +95,14 @@ func (srv *Server) ListenAndServe(serve ServeFunction) error {
return srv.Serve(serve)
}
-// ListenAndServeTLS listens on the provided network address and then calls
-// Serve to handle requests on incoming TLS connections.
-//
-// Filenames containing a certificate and matching private key for the server must
-// be provided. If the certificate is signed by a certificate authority, the
-// certFile should be the concatenation of the server's certificate followed by the
-// CA's certificate.
-func (srv *Server) ListenAndServeTLS(certFile, keyFile string, serve ServeFunction) error {
- config := &tls.Config{}
- if config.NextProtos == nil {
- config.NextProtos = []string{"h2", "http/1.1"}
- }
-
- config.Certificates = make([]tls.Certificate, 1)
-
- certPEMBlock, err := os.ReadFile(certFile)
- if err != nil {
- log.Error("Failed to load https cert file %s for %s:%s: %v", certFile, srv.network, srv.address, err)
- return err
- }
-
- keyPEMBlock, err := os.ReadFile(keyFile)
- if err != nil {
- log.Error("Failed to load https key file %s for %s:%s: %v", keyFile, srv.network, srv.address, err)
- return err
- }
-
- config.Certificates[0], err = tls.X509KeyPair(certPEMBlock, keyPEMBlock)
- if err != nil {
- log.Error("Failed to create certificate from cert file %s and key file %s for %s:%s: %v", certFile, keyFile, srv.network, srv.address, err)
- return err
- }
-
- return srv.ListenAndServeTLSConfig(config, serve)
-}
-
// ListenAndServeTLSConfig listens on the provided network address and then calls
// Serve to handle requests on incoming TLS connections.
func (srv *Server) ListenAndServeTLSConfig(tlsConfig *tls.Config, serve ServeFunction) error {
go srv.awaitShutdown()
- tlsConfig.MinVersion = tls.VersionTLS12
+ if tlsConfig.MinVersion == 0 {
+ tlsConfig.MinVersion = tls.VersionTLS12
+ }
l, err := GetListener(srv.network, srv.address)
if err != nil {
diff --git a/modules/graceful/server_http.go b/modules/graceful/server_http.go
index 4471e379ef..f7b22ceb5e 100644
--- a/modules/graceful/server_http.go
+++ b/modules/graceful/server_http.go
@@ -33,13 +33,6 @@ func HTTPListenAndServe(network, address, name string, handler http.Handler) err
return server.ListenAndServe(lHandler)
}
-// HTTPListenAndServeTLS listens on the provided network address and then calls Serve
-// to handle requests on incoming connections.
-func HTTPListenAndServeTLS(network, address, name, certFile, keyFile string, handler http.Handler) error {
- server, lHandler := newHTTPServer(network, address, name, handler)
- return server.ListenAndServeTLS(certFile, keyFile, lHandler)
-}
-
// HTTPListenAndServeTLSConfig listens on the provided network address and then calls Serve
// to handle requests on incoming connections.
func HTTPListenAndServeTLSConfig(network, address, name string, tlsConfig *tls.Config, handler http.Handler) error {
diff --git a/modules/setting/setting.go b/modules/setting/setting.go
index c5608c85bc..16ebde1791 100644
--- a/modules/setting/setting.go
+++ b/modules/setting/setting.go
@@ -114,6 +114,10 @@ var (
LetsEncryptTOS bool
LetsEncryptDirectory string
LetsEncryptEmail string
+ SSLMinimumVersion string
+ SSLMaximumVersion string
+ SSLCurvePreferences []string
+ SSLCipherSuites []string
GracefulRestartable bool
GracefulHammerTime time.Duration
StartupTimeout time.Duration
@@ -618,6 +622,10 @@ func NewContext() {
}
LetsEncryptDirectory = sec.Key("LETSENCRYPT_DIRECTORY").MustString("https")
LetsEncryptEmail = sec.Key("LETSENCRYPT_EMAIL").MustString("")
+ SSLMinimumVersion = sec.Key("SSL_MIN_VERSION").MustString("")
+ SSLMaximumVersion = sec.Key("SSL_MAX_VERSION").MustString("")
+ SSLCurvePreferences = sec.Key("SSL_CURVE_PREFERENCES").Strings(",")
+ SSLCipherSuites = sec.Key("SSL_CIPHER_SUITES").Strings(",")
Domain = sec.Key("DOMAIN").MustString("localhost")
HTTPAddr = sec.Key("HTTP_ADDR").MustString("0.0.0.0")
HTTPPort = sec.Key("HTTP_PORT").MustString("3000")