Use predefined Ciphers when TLS is configured

author: Frédéric Guillot <fred@miniflux.net> 2018-09-08 21:43:45 -0700
committer: Frédéric Guillot <fred@miniflux.net> 2018-09-08 21:43:45 -0700
commit: 46932c91a6d8960a687ac29a57efaa4cac74c028 (patch)
tree: 0addc70c9be4db1025aee9a79d936f7a3c9deaa9
parent: 2306a4b2f6464b0f3cb822405e37471a37abe46f (diff)
1 files changed, 19 insertions, 1 deletions
diff --git a/daemon/server.go b/daemon/server.go
index 084a709..841e3b3 100644
--- a/daemon/server.go
+++ b/daemon/server.go
@@ -55,9 +55,27 @@ func newServer(cfg *config.Config, store *storage.Storage, pool *scheduler.Worke
 			}
 		}()
 	} else if certFile != "" && keyFile != "" {
-		server.TLSConfig = &tls.Config{MinVersion: tls.VersionTLS12}
 		cfg.IsHTTPS = true
 
+		// See https://blog.cloudflare.com/exposing-go-on-the-internet/
+		// And https://wiki.mozilla.org/Security/Server_Side_TLS
+		server.TLSConfig = &tls.Config{
+			MinVersion: tls.VersionTLS12,
+			PreferServerCipherSuites: true,
+			CurvePreferences: []tls.CurveID{
+				tls.CurveP256,
+				tls.X25519,
+			},
+			CipherSuites: []uint16{
+				tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+				tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+				tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+				tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+				tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+				tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			},
+		}
+
 		go func() {
 			logger.Info(`Listening on "%s" by using certificate "%s" and key "%s"`, server.Addr, certFile, keyFile)
 			if err := server.ListenAndServeTLS(certFile, keyFile); err != http.ErrServerClosed {
author	Frédéric Guillot <fred@miniflux.net>	2018-09-08 21:43:45 -0700
committer	Frédéric Guillot <fred@miniflux.net>	2018-09-08 21:43:45 -0700
commit	46932c91a6d8960a687ac29a57efaa4cac74c028 (patch)
tree	0addc70c9be4db1025aee9a79d936f7a3c9deaa9
parent	2306a4b2f6464b0f3cb822405e37471a37abe46f (diff)