Change default ciphersuites to newer names.
This commit is contained in:
parent
07f7316851
commit
4f27f4b002
2 changed files with 10 additions and 12 deletions
|
@ -189,9 +189,10 @@ func (c *Config) Validate() error {
|
||||||
switch {
|
switch {
|
||||||
case c.Address == "":
|
case c.Address == "":
|
||||||
return errors.New("address cannot be empty")
|
return errors.New("address cannot be empty")
|
||||||
|
|
||||||
case len(c.DNSNames) == 0:
|
case len(c.DNSNames) == 0:
|
||||||
return errors.New("dnsNames cannot be empty")
|
return errors.New("dnsNames cannot be empty")
|
||||||
|
case c.AuthorityConfig == nil:
|
||||||
|
return errors.New("authority cannot be nil")
|
||||||
}
|
}
|
||||||
|
|
||||||
// Options holds the RA/CAS configuration.
|
// Options holds the RA/CAS configuration.
|
||||||
|
|
|
@ -15,8 +15,9 @@ var (
|
||||||
// DefaultTLSRenegotiation default TLS connection renegotiation policy.
|
// DefaultTLSRenegotiation default TLS connection renegotiation policy.
|
||||||
DefaultTLSRenegotiation = false // Never regnegotiate.
|
DefaultTLSRenegotiation = false // Never regnegotiate.
|
||||||
// DefaultTLSCipherSuites specifies default step ciphersuite(s).
|
// DefaultTLSCipherSuites specifies default step ciphersuite(s).
|
||||||
|
// These are TLS 1.0 - 1.2 cipher suites.
|
||||||
DefaultTLSCipherSuites = CipherSuites{
|
DefaultTLSCipherSuites = CipherSuites{
|
||||||
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
|
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
|
||||||
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
|
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
|
||||||
}
|
}
|
||||||
// ApprovedTLSCipherSuites smallstep approved ciphersuites.
|
// ApprovedTLSCipherSuites smallstep approved ciphersuites.
|
||||||
|
@ -26,25 +27,21 @@ var (
|
||||||
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
|
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
|
||||||
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
|
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
|
||||||
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
|
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
|
||||||
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
|
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
|
||||||
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
|
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
|
||||||
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
|
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
|
||||||
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
|
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
|
||||||
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
|
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
|
||||||
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
|
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
|
||||||
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
|
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
|
||||||
}
|
}
|
||||||
// DefaultTLSOptions represents the default TLS version as well as the cipher
|
// DefaultTLSOptions represents the default TLS version as well as the cipher
|
||||||
// suites used in the TLS certificates.
|
// suites used in the TLS certificates.
|
||||||
DefaultTLSOptions = TLSOptions{
|
DefaultTLSOptions = TLSOptions{
|
||||||
CipherSuites: CipherSuites{
|
CipherSuites: DefaultTLSCipherSuites,
|
||||||
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
|
MinVersion: DefaultTLSMinVersion,
|
||||||
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
|
MaxVersion: DefaultTLSMaxVersion,
|
||||||
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
|
Renegotiation: DefaultTLSRenegotiation,
|
||||||
},
|
|
||||||
MinVersion: 1.2,
|
|
||||||
MaxVersion: 1.2,
|
|
||||||
Renegotiation: false,
|
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue