Use caddy ciphers from JSON file

[bokub]

The cipher names have changed in Caddy v2 (v1 being deprecated now)

The full list of ciphers is available here

These are the replacements I made:

Caddy v1	Caddy v2
ECDHE-ECDSA-AES128-GCM-SHA256	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
ECDHE-RSA-AES128-GCM-SHA256	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
ECDHE-ECDSA-AES256-GCM-SHA384	TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
ECDHE-RSA-AES256-GCM-SHA384	TLS_RSA_WITH_AES_256_GCM_SHA384
ECDHE-ECDSA-WITH-CHACHA20-POLY1305	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
ECDHE-RSA-WITH-CHACHA20-POLY1305	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
ECDHE-ECDSA-AES128-CBC-SHA	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
ECDHE-RSA-AES256-CBC-SHA	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
ECDHE-RSA-AES128-CBC-SHA	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
ECDHE-ECDSA-AES256-CBC-SHA	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
RSA-AES128-CBC-SHA	TLS_RSA_WITH_AES_128_CBC_SHA
RSA-AES256-CBC-SHA	TLS_RSA_WITH_AES_256_CBC_SHA
RSA-3DES-EDE-CBC-SHA	TLS_RSA_WITH_3DES_EDE_CBC_SHA

[april]

I think Caddy's cipher suites should now match the go ones, correct?

[april]

Also, you should be able to support both Caddy v1 and Caddy v2 by using the minver macro and an if/else statement. :)

[bokub]

I think Caddy's cipher suites should now match the go ones, correct?

The following ciphers from go are not supported by Caddy:

• TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 (but there is TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 instead)
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 (but there is TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 instead)
• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
• TLS_RSA_WITH_AES_128_CBC_SHA256

you should be able to support both Caddy v1 and Caddy v2 by using the minver macro and an if/else statement.

All right, I will do if v1: <hardcoded ciphers>; else <ciphers from JSON>

[bokub]

@april I've used the minver macro and an if/else statement as you suggested :+1:

[april]

This is great, could I ask for one more favor?

Would you be willing to rebase your changes against 5.5.json (which is the latest version) by creating a 5.6.json with caddy in it? I always bump the numbers when there is a change to these files, since a lot of tools rely on them programmatically.

Thanks again, I (and @mholt) really appreciate all your hard work here!

[mholt]

To clarify, the new cipher names should be the same as the IANA-registered names, which I believe match Go, although the set of ciphers Caddy supports and the set of ciphers Go supports are not the same.

[april]

Maybe the better option would simply be to use the iana list and then have a list of ciphers that Caddy doesn't support in the configuration file instead?

[bokub]

@april I've added 5.6.json and edited the symlink as requested

Here is the diff between 5.5 and 5.6

[april]

I had to fix some errors in the caddy cipher list, but it should all be up and running now. Thanks again!

[mholt]

Oh, awesome -- you folks are amazing! Thanks for working on that. :+1: