Trang chủ Khám phá Trợ giúp
Đăng nhập
ThebeMail
/
ref-go-smtprelay
mirror of https://github.com/decke/smtprelay.git
2
0
Fork 0
Các tập tin Các vấn đề 0 Wiki
Browse Source

Improve TLS Config to prefer server ciphers, remove 3DES ciphers and require TLS 1.1 or higher

Bernhard Froehlich 6 năm trước cách đây
mục cha
92be537b25
commit
6270d75571
1 tập tin đã thay đổi với 48 bổ sung0 xóa
Split View Hiển thị tình trạng sai khác
  1. 48 0
      main.go

+ 48 - 0
main.go
Xem Tập Tin 

@@ -192,6 +192,30 @@ func main() {
 
 			}
 
 
 			server.TLSConfig = &tls.Config {
 
+				PreferServerCipherSuites: true,
 
+				MinVersion:               tls.VersionTLS11,
 
+
 
+				// Ciphersuites as defined in stock Go but without 3DES
 
+				// https://golang.org/src/crypto/tls/cipher_suites.go
 
+				CipherSuites: []uint16 {
 
+					tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
 
+					tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
 
+					tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
 
+					tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
 
+					tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
 
+					tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
 
+					tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
 
+					tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
 
+					tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
 
+					tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
 
+					tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
 
+					tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
 
+					tls.TLS_RSA_WITH_AES_128_GCM_SHA256, // does not provide PFS
 
+					tls.TLS_RSA_WITH_AES_256_GCM_SHA384, // does not provide PFS
 
+					tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
 
+					tls.TLS_RSA_WITH_AES_128_CBC_SHA,
 
+					tls.TLS_RSA_WITH_AES_256_CBC_SHA,
 
+				},
 
 				Certificates: [] tls.Certificate{cert},
 
 			}
 
 			server.ForceTLS = *localForceTLS
 
@@ -215,6 +239,30 @@ func main() {
 
 			}
 
 
 			server.TLSConfig = &tls.Config {
 
+				PreferServerCipherSuites: true,
 
+				MinVersion:               tls.VersionTLS11,
 
+
 
+				// Ciphersuites as defined in stock Go but without 3DES
 
+				// https://golang.org/src/crypto/tls/cipher_suites.go
 
+				CipherSuites: []uint16 {
 
+					tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
 
+					tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
 
+					tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
 
+					tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
 
+					tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
 
+					tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
 
+					tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
 
+					tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
 
+					tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
 
+					tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
 
+					tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
 
+					tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
 
+					tls.TLS_RSA_WITH_AES_128_GCM_SHA256, // does not provide PFS
 
+					tls.TLS_RSA_WITH_AES_256_GCM_SHA384, // does not provide PFS
 
+					tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
 
+					tls.TLS_RSA_WITH_AES_128_CBC_SHA,
 
+					tls.TLS_RSA_WITH_AES_256_CBC_SHA,
 
+				},
 
 				Certificates: [] tls.Certificate{cert},
 
 			}