From 557fd9ea187b1279b43ff63b94fedf2320aa3351 Mon Sep 17 00:00:00 2001
From: Daniel Schalla <daniel@schalla.me>
Date: Tue, 16 Oct 2018 16:51:46 +0200
Subject: Set default ciphers, set tls 1.2 via config, set curve prefs (#9315)

Config Checks at StartUp Part1

Config Checks; Tests for TLS Server

HSTS header implementation + tests

make gofmt happy with new go version...

make gofmt happy with new go version #2...

fix logic bug

fix typo

Fix unnecessary code block
---
 app/server.go | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++--------
 1 file changed, 57 insertions(+), 8 deletions(-)

(limited to 'app/server.go')

diff --git a/app/server.go b/app/server.go
index debb6764f..b95059c84 100644
--- a/app/server.go
+++ b/app/server.go
@@ -46,7 +46,7 @@ type Server struct {
 	didFinishListen chan struct{}
 }
 
-var corsAllowedMethods []string = []string{
+var corsAllowedMethods = []string{
 	"POST",
 	"GET",
 	"OPTIONS",
@@ -199,26 +199,75 @@ func (a *App) StartServer() error {
 	go func() {
 		var err error
 		if *a.Config().ServiceSettings.ConnectionSecurity == model.CONN_SECURITY_TLS {
-			if *a.Config().ServiceSettings.UseLetsEncrypt {
 
-				tlsConfig := &tls.Config{
-					GetCertificate: m.GetCertificate,
+			tlsConfig := &tls.Config{
+				PreferServerCipherSuites: true,
+				CurvePreferences:         []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
+			}
+
+			switch *a.Config().ServiceSettings.TLSMinVer {
+			case "1.0":
+				tlsConfig.MinVersion = tls.VersionTLS10
+			case "1.1":
+				tlsConfig.MinVersion = tls.VersionTLS11
+			default:
+				tlsConfig.MinVersion = tls.VersionTLS12
+			}
+
+			defaultCiphers := []uint16{
+				tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+				tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+				tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+				tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+				tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
+				tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
+			}
+
+			if len(a.Config().ServiceSettings.TLSOverwriteCiphers) == 0 {
+				tlsConfig.CipherSuites = defaultCiphers
+			} else {
+				var cipherSuites []uint16
+				for _, cipher := range a.Config().ServiceSettings.TLSOverwriteCiphers {
+					value, ok := model.ServerTLSSupportedCiphers[cipher]
+
+					if !ok {
+						mlog.Warn("Unsupported cipher passed", mlog.String("cipher", cipher))
+						continue
+					}
+
+					cipherSuites = append(cipherSuites, value)
 				}
 
-				tlsConfig.NextProtos = append(tlsConfig.NextProtos, "h2")
+				if len(cipherSuites) == 0 {
+					mlog.Warn("No supported ciphers passed, fallback to default cipher suite")
+					cipherSuites = defaultCiphers
+				}
+
+				tlsConfig.CipherSuites = cipherSuites
+			}
+
+			certFile := ""
+			keyFile := ""
 
-				a.Srv.Server.TLSConfig = tlsConfig
-				err = a.Srv.Server.ServeTLS(listener, "", "")
+			if *a.Config().ServiceSettings.UseLetsEncrypt {
+				tlsConfig.GetCertificate = m.GetCertificate
+				tlsConfig.NextProtos = append(tlsConfig.NextProtos, "h2")
 			} else {
-				err = a.Srv.Server.ServeTLS(listener, *a.Config().ServiceSettings.TLSCertFile, *a.Config().ServiceSettings.TLSKeyFile)
+				certFile = *a.Config().ServiceSettings.TLSCertFile
+				keyFile = *a.Config().ServiceSettings.TLSKeyFile
 			}
+
+			a.Srv.Server.TLSConfig = tlsConfig
+			err = a.Srv.Server.ServeTLS(listener, certFile, keyFile)
 		} else {
 			err = a.Srv.Server.Serve(listener)
 		}
+
 		if err != nil && err != http.ErrServerClosed {
 			mlog.Critical(fmt.Sprintf("Error starting server, err:%v", err))
 			time.Sleep(time.Second)
 		}
+
 		close(a.Srv.didFinishListen)
 	}()
 
-- 
cgit v1.2.3-1-g7c22