search

ubccr / mokey

FreeIPA self-service account management portal
BSD 3-Clause "New" or "Revised" License
190 stars 45 forks source link

Allow setting custom TLS ciphers #131

Open mattgahs opened 8 months ago

mattgahs commented 8 months ago

Hello!

I need to disable some TLS ciphers in the mokey web service. What's the best way to do so?

Specifically:

TLSv1.2:

TLSv1.3:

Thanks!

Aterfax commented 8 months ago

Looks like mokey might need some amendments in the code to implement the setting of this in the TOML file / via options from https://pkg.go.dev/net/http#hdr-Clients_and_Transports

For now I would recommend configuring a reverse proxy with the OS native NGINX / Apache or something like the SWAG docker.

aebruno commented 8 months ago

@mattgahs We currently do not support setting custom TLS ciphers. As @Aterfax mentioned, you have a few options:

  1. Run mokey behind nginx (or another webserver) using proxy pass and configure your custom ciphers there
  2. Modify the code here to support setting a custom tls.Config with your custom cipher list. see here

I'll add this issue as a feature so in the future we can support custom ciphers. If you do end up implementing option 2 feel free to submit a PR.