diff options
| -rw-r--r-- | plugin/pkg/tls/tls.go | 26 | ||||
| -rw-r--r-- | plugin/tls/tls.go | 18 |
2 files changed, 24 insertions, 20 deletions
diff --git a/plugin/pkg/tls/tls.go b/plugin/pkg/tls/tls.go index 8d36d6823..cba25503e 100644 --- a/plugin/pkg/tls/tls.go +++ b/plugin/pkg/tls/tls.go @@ -11,6 +11,22 @@ import ( "time" ) +func setTLSDefaults(ctls *tls.Config) { + ctls.MinVersion = tls.VersionTLS12 + ctls.MaxVersion = tls.VersionTLS13 + ctls.CipherSuites = []uint16{ + tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, + tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, + tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + } +} + // NewTLSConfigFromArgs returns a TLS config based upon the passed // in list of arguments. Typically these come straight from the // Corefile. @@ -76,7 +92,10 @@ func NewTLSConfig(certPath, keyPath, caPath string) (*tls.Config, error) { return nil, err } - return &tls.Config{Certificates: []tls.Certificate{cert}, RootCAs: roots}, nil + tlsConfig := &tls.Config{Certificates: []tls.Certificate{cert}, RootCAs: roots} + setTLSDefaults(tlsConfig) + + return tlsConfig, nil } // NewTLSClientConfig returns a TLS config for a client connection @@ -87,7 +106,10 @@ func NewTLSClientConfig(caPath string) (*tls.Config, error) { return nil, err } - return &tls.Config{RootCAs: roots}, nil + tlsConfig := &tls.Config{RootCAs: roots} + setTLSDefaults(tlsConfig) + + return tlsConfig, nil } func loadRoots(caPath string) (*x509.CertPool, error) { diff --git a/plugin/tls/tls.go b/plugin/tls/tls.go index 930c5e702..2658159a9 100644 --- a/plugin/tls/tls.go +++ b/plugin/tls/tls.go @@ -19,22 +19,6 @@ func setup(c *caddy.Controller) error { return nil } -func setTLSDefaults(tls *ctls.Config) { - tls.MinVersion = ctls.VersionTLS12 - tls.MaxVersion = ctls.VersionTLS13 - tls.CipherSuites = []uint16{ - ctls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - ctls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - ctls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, - ctls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, - ctls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - ctls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - ctls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - ctls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - ctls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - } -} - func parseTLS(c *caddy.Controller) error { config := dnsserver.GetConfig(c) @@ -81,8 +65,6 @@ func parseTLS(c *caddy.Controller) error { // NewTLSConfigFromArgs only sets RootCAs, so we need to let ClientCAs refer to it. tls.ClientCAs = tls.RootCAs - setTLSDefaults(tls) - config.TLSConfig = tls } return nil |