make use of TLS version options
This commit is contained in:
parent
43dbaa5b3d
commit
a3923642c1
6
main.go
6
main.go
|
@ -270,7 +270,8 @@ func run() int {
|
||||||
}
|
}
|
||||||
|
|
||||||
if args.cert != "" {
|
if args.cert != "" {
|
||||||
cfg, err1 := makeServerTLSConfig(args.cert, args.key, args.cafile, args.ciphers, !args.disableHTTP2)
|
cfg, err1 := makeServerTLSConfig(args.cert, args.key, args.cafile,
|
||||||
|
args.ciphers, uint16(args.minTLSVersion), uint16(args.maxTLSVersion), !args.disableHTTP2)
|
||||||
if err1 != nil {
|
if err1 != nil {
|
||||||
mainLogger.Critical("TLS config construction failed: %v", err1)
|
mainLogger.Critical("TLS config construction failed: %v", err1)
|
||||||
return 3
|
return 3
|
||||||
|
@ -293,7 +294,8 @@ func run() int {
|
||||||
}()
|
}()
|
||||||
}
|
}
|
||||||
cfg := m.TLSConfig()
|
cfg := m.TLSConfig()
|
||||||
cfg, err = updateServerTLSConfig(cfg, args.cafile, args.ciphers, !args.disableHTTP2)
|
cfg, err = updateServerTLSConfig(cfg, args.cafile, args.ciphers,
|
||||||
|
uint16(args.minTLSVersion), uint16(args.maxTLSVersion), !args.disableHTTP2)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
mainLogger.Critical("TLS config construction failed: %v", err)
|
mainLogger.Critical("TLS config construction failed: %v", err)
|
||||||
return 3
|
return 3
|
||||||
|
|
11
utils.go
11
utils.go
|
@ -151,8 +151,11 @@ func copyBody(wr io.Writer, body io.Reader) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func makeServerTLSConfig(certfile, keyfile, cafile, ciphers string, h2 bool) (*tls.Config, error) {
|
func makeServerTLSConfig(certfile, keyfile, cafile, ciphers string, minVer, maxVer uint16, h2 bool) (*tls.Config, error) {
|
||||||
var cfg tls.Config
|
cfg := tls.Config{
|
||||||
|
MinVersion: minVer,
|
||||||
|
MaxVersion: maxVer,
|
||||||
|
}
|
||||||
cert, err := tls.LoadX509KeyPair(certfile, keyfile)
|
cert, err := tls.LoadX509KeyPair(certfile, keyfile)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
|
@ -179,7 +182,7 @@ func makeServerTLSConfig(certfile, keyfile, cafile, ciphers string, h2 bool) (*t
|
||||||
return &cfg, nil
|
return &cfg, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func updateServerTLSConfig(cfg *tls.Config, cafile, ciphers string, h2 bool) (*tls.Config, error) {
|
func updateServerTLSConfig(cfg *tls.Config, cafile, ciphers string, minVer, maxVer uint16, h2 bool) (*tls.Config, error) {
|
||||||
if cafile != "" {
|
if cafile != "" {
|
||||||
roots := x509.NewCertPool()
|
roots := x509.NewCertPool()
|
||||||
certs, err := ioutil.ReadFile(cafile)
|
certs, err := ioutil.ReadFile(cafile)
|
||||||
|
@ -198,6 +201,8 @@ func updateServerTLSConfig(cfg *tls.Config, cafile, ciphers string, h2 bool) (*t
|
||||||
} else {
|
} else {
|
||||||
cfg.NextProtos = []string{"http/1.1", "acme-tls/1"}
|
cfg.NextProtos = []string{"http/1.1", "acme-tls/1"}
|
||||||
}
|
}
|
||||||
|
cfg.MinVersion = minVer
|
||||||
|
cfg.MaxVersion = maxVer
|
||||||
return cfg, nil
|
return cfg, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue