Use very strong ciphers (#4116)

* Use very strong ciphers * Remove TLS_RSA_WITH_AES_256_GCM_SHA384 to be compatible with Go 1.5
2017-02-12 19:12:07 -05:00 · 2017-02-12 19:12:07 -05:00 · 68ead67a63
parent 2d38b75400
commit 68ead67a63
1 changed files with 11 additions and 1 deletions
--- a/cmd/web.go
+++ b/cmd/web.go
@ -663,7 +663,17 @@ func runWeb(ctx *cli.Context) error {
 	case setting.SCHEME_HTTP:
 		err = http.ListenAndServe(listenAddr, m)
 	case setting.SCHEME_HTTPS:
-		server := &http.Server{Addr: listenAddr, TLSConfig: &tls.Config{MinVersion: tls.VersionTLS10}, Handler: m}
+		server := &http.Server{Addr: listenAddr, TLSConfig: &tls.Config{
+			MinVersion:               tls.VersionTLS10,
+			CurvePreferences:         []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
+			PreferServerCipherSuites: true,
+			CipherSuites: []uint16{
+				tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+				tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, // Required for HTTP/2 support.
+				tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+				tls.TLS_RSA_WITH_AES_256_CBC_SHA,
+			},
+		}, Handler: m}
 		err = server.ListenAndServeTLS(setting.CertFile, setting.KeyFile)
 	case setting.SCHEME_FCGI:
 		err = fcgi.Serve(nil, m)