Open guhuajian opened 7 months ago
you know, CBC workmode and SHA1 is not safe by now, and others maybe not safe tomorrow, so is it possible to make the CipherSuites to be configurable? thanks!
tlsConfig := &tls.Config{ ClientCAs: certPool, ClientAuth: clientAuthType, MinVersion: tls.VersionTLS12, CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256}, PreferServerCipherSuites: true, CipherSuites: []uint16{ **tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, tls.TLS_RSA_WITH_AES_256_GCM_SHA384, tls.TLS_RSA_WITH_AES_256_CBC_SHA, tls.TLS_RSA_WITH_AES_128_CBC_SHA256,** }, } server := &http.Server{ Addr: listenAddress, TLSConfig: tlsConfig, }
you know, CBC workmode and SHA1 is not safe by now, and others maybe not safe tomorrow, so is it possible to make the CipherSuites to be configurable? thanks!
tlsConfig := &tls.Config{ ClientCAs: certPool, ClientAuth: clientAuthType, MinVersion: tls.VersionTLS12, CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256}, PreferServerCipherSuites: true, CipherSuites: []uint16{ **tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, tls.TLS_RSA_WITH_AES_256_GCM_SHA384, tls.TLS_RSA_WITH_AES_256_CBC_SHA, tls.TLS_RSA_WITH_AES_128_CBC_SHA256,** }, } server := &http.Server{ Addr: listenAddress, TLSConfig: tlsConfig, }