diff options
| author |  bcebere <bogdan.cebere@gmail.com>
| 2019-06-28 14:03:34 +0300 |
|---|---|---|
| committer |  corbot[bot] <39114087+corbot[bot]@users.noreply.github.com>
| 2019-06-28 11:03:34 +0000 |
| commit | 6e7a5f56779c4ff1b317a98c5c8a1e9b472cab15 (patch) | |
| tree | d24911181cb23874fed30075e238c682a01ee4b4 /plugin/tls/tls.go | |
| parent | 41661b0848cb62a13c9e6860016b1db665b0bc32 (diff) | |
| download | coredns-6e7a5f56779c4ff1b317a98c5c8a1e9b472cab15.tar.gz coredns-6e7a5f56779c4ff1b317a98c5c8a1e9b472cab15.tar.zst coredns-6e7a5f56779c4ff1b317a98c5c8a1e9b472cab15.zip | |
TLS hardening (#2938)
Automatically submitted.
Diffstat (limited to 'plugin/tls/tls.go')
| -rw-r--r-- | plugin/tls/tls.go | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/plugin/tls/tls.go b/plugin/tls/tls.go index cde543ea0..e87f802ec 100644 --- a/plugin/tls/tls.go +++ b/plugin/tls/tls.go @@ -25,6 +25,23 @@ func setup(c *caddy.Controller) error { return nil } +func setTLSDefaults(tls *ctls.Config) { + tls.MinVersion = ctls.VersionTLS12 + tls.MaxVersion = ctls.VersionTLS13 + tls.CipherSuites = []uint16{ + ctls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + ctls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + ctls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, + ctls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, + ctls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + ctls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + ctls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + ctls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + ctls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + } + tls.PreferServerCipherSuites = true +} + func parseTLS(c *caddy.Controller) error { config := dnsserver.GetConfig(c) @@ -70,6 +87,9 @@ func parseTLS(c *caddy.Controller) error { tls.ClientAuth = clientAuth // NewTLSConfigFromArgs only sets RootCAs, so we need to let ClientCAs refer to it. tls.ClientCAs = tls.RootCAs + + setTLSDefaults(tls) + config.TLSConfig = tls } return nil |