[server] Configure TLS options

2019-08-15 10:06:06 +03:00 · 2019-08-15 10:06:06 +03:00 · e19a33fc1f
commit e19a33fc1f
parent f4a57a9265
1 changed files with 23 additions and 1 deletions
--- a/sources/cmd/server/server.go
+++ b/sources/cmd/server/server.go
@ -1068,7 +1068,29 @@ func main_0 () (error) {
 	}
 	
 	
-	_tlsConfig := & tls.Config {}
+	_tlsConfig := & tls.Config {
+			Certificates : nil,
+			MinVersion : tls.VersionTLS12,
+			CipherSuites : []uint16 {
+					// NOTE:  https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
+					// NOTE:  TLSv1.3
+					tls.TLS_AES_128_GCM_SHA256,
+					tls.TLS_AES_256_GCM_SHA384,
+					tls.TLS_CHACHA20_POLY1305_SHA256,
+					// NOTE:  TLSv1.2
+					tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+					tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+					tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+					// NOTE:  Required for HTTP/2.
+					tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+					tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
+				},
+			Renegotiation : tls.RenegotiateNever,
+			PreferServerCipherSuites : true,
+			SessionTicketsDisabled : true,
+			DynamicRecordSizingDisabled : true,
+		}
+	
 	if _certificate, _error := tls.X509KeyPair ([]byte (DefaultTlsCertificatePublic), []byte (DefaultTlsCertificatePrivate)); _error == nil {
 		_tlsConfig.Certificates = append (_tlsConfig.Certificates, _certificate)
 	} else {