-
Notifications
You must be signed in to change notification settings - Fork 305
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: extended TLS configuration #259
Conversation
no objections in general, but for readability, can we use string names for the ciphers and curve names instead? |
|
I'm not sure I understand what you mean by using My goal was to keep the code simple and to avoid hardcoding (I guess that was the goal in https://github.com/cesanta/docker_auth/pull/232/files too). I see no way around either a hardcoded map to "translate" user provided strings to actual |
ok, scratch that, you cannot use reflect to lookup package constants. so, how about we support string representation for existing list of ciphers as that way: tls_cipher_suites:
- TLS_RSA_WITH_RC4_128_SHA
- 0x0005 will both work. all you need to do is make that list of strings, look up value in the hard-coded map and then fall back to same applies to curve names. |
That should do it. It was slightly trickier than |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
getting there, some minor comments
Some validation logic could be added in |
merged, thank you! |
This PR extends the server's TLS configuration. While the default TLS settings should be enough for most use cases, if you get a bit paranoid about security you'd probably want to tweak things a bit. This PR allows for that.
The motivation in my case is passing the FedRAMP certification, which required some TLS vulnerabilities to be addressed. Here's a FedRAMP compliant (as of Sep 5th, 2019) configuration example:
If you're curious I used this tool to test both the current server and the patched one with the settings above, and the differences are there.