mirror of
https://github.com/goauthentik/authentik
synced 2026-04-27 09:57:31 +02:00
b5848765b2
* internal: update TLS Suite Signed-off-by: Jens Langhammer <jens@goauthentik.io> * disable chacha20 due to fips Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>
41 lines
995 B
Go
41 lines
995 B
Go
package utils
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"slices"
|
|
)
|
|
|
|
func GetTLSConfig() *tls.Config {
|
|
// Based on
|
|
// https://ssl-config.mozilla.org/#server=go&version=1.25&config=intermediate&guideline=5.7
|
|
tlsConfig := &tls.Config{
|
|
MinVersion: tls.VersionTLS12,
|
|
CurvePreferences: []tls.CurveID{
|
|
tls.X25519,
|
|
tls.CurveP256,
|
|
tls.CurveP384,
|
|
},
|
|
PreferServerCipherSuites: true,
|
|
CipherSuites: []uint16{},
|
|
}
|
|
|
|
excludedCiphers := []uint16{
|
|
// ChaCha20 is not FIPS validated
|
|
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
|
|
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
|
|
// Insecure SWEET32 attack ciphers, TLS config uses a fallback
|
|
tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
|
|
tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
|
|
}
|
|
|
|
defaultSecureCiphers := []uint16{}
|
|
for _, cs := range tls.CipherSuites() {
|
|
if slices.Contains(excludedCiphers, cs.ID) {
|
|
continue
|
|
}
|
|
defaultSecureCiphers = append(defaultSecureCiphers, cs.ID)
|
|
}
|
|
tlsConfig.CipherSuites = defaultSecureCiphers
|
|
return tlsConfig
|
|
}
|