search

spacemonkeygo / openssl

OpenSSL bindings for Go
http://godoc.org/github.com/spacemonkeygo/openssl
Apache License 2.0
473 stars 236 forks source link

srv TLSConfig not taking effect in call to ServerListenAndServeTLS() #85

Open hhui1234 opened 6 years ago

hhui1234 commented 6 years ago

I am using the latest spacemonkeygo/openssl as of today. My code is as follows:

    cfg := &tls.Config{
            MinVersion:               tls.VersionTLS12,
            CurvePreferences:         []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
            PreferServerCipherSuites: true,
            ClientAuth:               clientAuth,
            ClientCAs:                clientCertPool,
            CipherSuites: []uint16{
                    tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
                    tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
                    tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
                    tls.TLS_RSA_WITH_AES_256_CBC_SHA,
            },
    }
    cfg.Rand = rand.Reader

    srv := &http.Server{
                   Addr: ":" + httpsPort,
                   Handler: http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
                                    // some proprietary stuff

                                    handler.ServeHTTP(w, req)
                            }),
                            TLSConfig:    cfg,
                            TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler), 0),
       }
       log.Fatal(openssl.ServerListenAndServeTLS(srv, certFile, pkeyFile))

As you can see, MinVersion is set to TLS 1.2 and I also specified a narrow set of CipherSuites. However, sslscan shows that TLS1.0-1.2 are all accepted: Supported Server Cipher(s): Preferred TLSv1.2 256 bits AES256-GCM-SHA384
Accepted TLSv1.2 256 bits AES256-SHA256
Accepted TLSv1.2 256 bits AES256-SHA
Accepted TLSv1.2 256 bits CAMELLIA256-SHA
Accepted TLSv1.2 128 bits AES128-GCM-SHA256
Accepted TLSv1.2 128 bits AES128-SHA256
Accepted TLSv1.2 128 bits AES128-SHA
Accepted TLSv1.2 128 bits SEED-SHA
Accepted TLSv1.2 128 bits CAMELLIA128-SHA
Accepted TLSv1.2 128 bits RC4-SHA
Accepted TLSv1.2 128 bits RC4-MD5
Accepted TLSv1.2 112 bits DES-CBC3-SHA
Preferred TLSv1.1 256 bits AES256-SHA
Accepted TLSv1.1 256 bits CAMELLIA256-SHA
Accepted TLSv1.1 128 bits AES128-SHA
Accepted TLSv1.1 128 bits SEED-SHA
Accepted TLSv1.1 128 bits CAMELLIA128-SHA
Accepted TLSv1.1 128 bits RC4-SHA
Accepted TLSv1.1 128 bits RC4-MD5
Accepted TLSv1.1 112 bits DES-CBC3-SHA
Preferred TLSv1.0 256 bits AES256-SHA
Accepted TLSv1.0 256 bits CAMELLIA256-SHA
Accepted TLSv1.0 128 bits AES128-SHA
Accepted TLSv1.0 128 bits SEED-SHA
Accepted TLSv1.0 128 bits CAMELLIA128-SHA
Accepted TLSv1.0 128 bits RC4-SHA
Accepted TLSv1.0 128 bits RC4-MD5
Accepted TLSv1.0 112 bits DES-CBC3-SHA

I have further verified that calling srv.ListenAndServeTLS(certFile, pkeyFile) instead works as expected and only TLS 1.2 ciphers are returned: Supported Server Cipher(s): Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-521 DHE 521 Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-521 DHE 521 Accepted TLSv1.2 256 bits AES256-GCM-SHA384
Accepted TLSv1.2 256 bits AES256-SHA

FYI I need to use spacemonkeygo openssl pkg as I need FIPS mode support.