add cipher list from mozilla recommended (#63)

* add cipher list from mozilla recommended * prefer server cipher suite * remove sweet32 ciphers * remove prefer-server and add tls1.3 supported ciphers * move ciphers around * print out error for failing server
palantir · Sep 14, 2021 · d48a1b1 · d48a1b1
1 parent c1d302b
commit d48a1b1
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 1 deletion.
diff --git a/baseapp/server.go b/baseapp/server.go
@@ -80,6 +80,20 @@ func NewServer(c HTTPConfig, params ...Param) (*Server, error) {
 		base.server = &http.Server{
 			TLSConfig: &tls.Config{
 				MinVersion: tls.VersionTLS12,
+				CipherSuites: []uint16{
+					// The set of cipher suites from Mozilla's Recommended list
+					// https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29
+					// with 3DES algorithms removed to avoid sweet32 and https://github.com/golang/go/issues/21144
+					tls.TLS_AES_128_GCM_SHA256,
+					tls.TLS_AES_256_GCM_SHA384,
+					tls.TLS_CHACHA20_POLY1305_SHA256,
+					tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+					tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, // http2 support
+					tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+					tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+					tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+					tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+				},
 			},
 		}
 	}

diff --git a/example/main.go b/example/main.go
@@ -69,5 +69,7 @@ func main() {
 	}
 
 	// Start the server (blocking)
-	_ = server.Start()
+	if err = server.Start(); err != nil {
+		logger.Error().Err(err).Msg("server failed")
+	}
 }