Home Explore Help
Sign In
ThebeMail
/
ref-go-smtprelay
mirror of https://github.com/decke/smtprelay.git
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

Improve TLS Config to prefer server ciphers, remove 3DES ciphers and require TLS 1.1 or higher

Bernhard Froehlich 6 years ago
parent
92be537b25
commit
6270d75571
1 changed files with 48 additions and 0 deletions
Unified View Show Diff Stats
  1. 48 0
      main.go

+ 48 - 0
main.go
View File 

@@ -192,6 +192,30 @@ func main() {
 
 			}
 
 			}
 
 
 
 			server.TLSConfig = &tls.Config {
 
 			server.TLSConfig = &tls.Config {
 
+				PreferServerCipherSuites: true,
 
+				MinVersion:               tls.VersionTLS11,
 
+
 
+				// Ciphersuites as defined in stock Go but without 3DES
 
+				// https://golang.org/src/crypto/tls/cipher_suites.go
 
+				CipherSuites: []uint16 {
 
+					tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
 
+					tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
 
+					tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
 
+					tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
 
+					tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
 
+					tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
 
+					tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
 
+					tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
 
+					tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
 
+					tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
 
+					tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
 
+					tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
 
+					tls.TLS_RSA_WITH_AES_128_GCM_SHA256, // does not provide PFS
 
+					tls.TLS_RSA_WITH_AES_256_GCM_SHA384, // does not provide PFS
 
+					tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
 
+					tls.TLS_RSA_WITH_AES_128_CBC_SHA,
 
+					tls.TLS_RSA_WITH_AES_256_CBC_SHA,
 
+				},
 
 				Certificates: [] tls.Certificate{cert},
 
 				Certificates: [] tls.Certificate{cert},
 
 			}
 
 			}
 
 			server.ForceTLS = *localForceTLS
 
 			server.ForceTLS = *localForceTLS
 
@@ -215,6 +239,30 @@ func main() {
 
 			}
 
 			}
 
 
 
 			server.TLSConfig = &tls.Config {
 
 			server.TLSConfig = &tls.Config {
 
+				PreferServerCipherSuites: true,
 
+				MinVersion:               tls.VersionTLS11,
 
+
 
+				// Ciphersuites as defined in stock Go but without 3DES
 
+				// https://golang.org/src/crypto/tls/cipher_suites.go
 
+				CipherSuites: []uint16 {
 
+					tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
 
+					tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
 
+					tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
 
+					tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
 
+					tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
 
+					tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
 
+					tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
 
+					tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
 
+					tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
 
+					tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
 
+					tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
 
+					tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
 
+					tls.TLS_RSA_WITH_AES_128_GCM_SHA256, // does not provide PFS
 
+					tls.TLS_RSA_WITH_AES_256_GCM_SHA384, // does not provide PFS
 
+					tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
 
+					tls.TLS_RSA_WITH_AES_128_CBC_SHA,
 
+					tls.TLS_RSA_WITH_AES_256_CBC_SHA,
 
+				},
 
 				Certificates: [] tls.Certificate{cert},
 
 				Certificates: [] tls.Certificate{cert},
 
 			}
 
 			}