Require minimum TLSv1.3

This commit is contained in:
Melon 2023-12-06 08:38:12 +00:00
parent 1f4f4414d5
commit c5b9b4904e
Signed by: melon
GPG Key ID: 6C9D970C50D26A25

View File

@ -45,16 +45,7 @@ func NewHttpsServer(conf *conf.Conf, registry *prometheus.Registry) *http.Server
Addr: conf.HttpsListen, Addr: conf.HttpsListen,
Handler: hsts, Handler: hsts,
TLSConfig: &tls.Config{ TLSConfig: &tls.Config{
// Suggested by https://ssl-config.mozilla.org/#server=go&version=1.21.5&config=intermediate MinVersion: tls.VersionTLS13,
MinVersion: tls.VersionTLS12,
CipherSuites: []uint16{
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
},
GetCertificate: func(info *tls.ClientHelloInfo) (*tls.Certificate, error) { GetCertificate: func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
// error out on invalid domains // error out on invalid domains
if !conf.Domains.IsValid(info.ServerName) { if !conf.Domains.IsValid(info.ServerName) {