set cipher list when using tls 1.2

ConSol-Monitoring · Jun 21, 2023 · cdb0b28 · cdb0b28
1 parent 3cf9fd6
commit cdb0b28
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 0 deletions.
diff --git a/pkg/snclient/config.go b/pkg/snclient/config.go
@@ -331,3 +331,16 @@ func parseTLSMinVersion(version string) (uint16, error) {
 		return 0, err
 	}
 }
+
+func getSecureCiphers() (ciphers []uint16) {
+	ciphers = []uint16{}
+	for _, cipher := range tls.CipherSuites() {
+		if cipher.Insecure {
+			continue
+		}
+		log.Tracef("enabled cipher: %s", cipher.Name)
+		ciphers = append(ciphers, cipher.ID)
+	}
+
+	return
+}
diff --git a/pkg/snclient/listener.go b/pkg/snclient/listener.go
@@ -137,6 +137,14 @@ func (l *Listener) setListenConfig(conf *ConfigSection) error {
 			l.tlsConfig.MinVersion = min
 		}
 
+		/* remove insecure cipers, but only tls == 1.2
+		 * with tls 1.3 go decides which ciphers will be used
+		 * with tls < 1.2 we allow all ciphers, it unsecure anyway and it seems like an old client needs to connect (default is 1.2)
+		 */
+		if l.tlsConfig.MinVersion == tls.VersionTLS12 {
+			l.tlsConfig.CipherSuites = getSecureCiphers()
+		}
+
 		// certificate
 		certPath, ok := conf.GetString("certificate")
 		switch {