This repository has been archived by the owner on Mar 19, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 16
/
tls.go
66 lines (54 loc) · 1.7 KB
/
tls.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0
package common
var defaultTLSCipherSuites = []string{
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
}
func DefaultTLSCipherSuites() []string {
return defaultTLSCipherSuites
}
// NOTE: the following cipher suites are currently supported by Envoy but insecure and
// pending removal
var extraTLSCipherSuites = []string{
// https://github.com/envoyproxy/envoy/issues/5399
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_256_CBC_SHA",
// https://github.com/envoyproxy/envoy/issues/5400
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
}
var supportedTLSCipherSuites = (func() map[string]struct{} {
cipherSuites := make(map[string]struct{})
for _, c := range append(defaultTLSCipherSuites, extraTLSCipherSuites...) {
cipherSuites[c] = struct{}{}
}
return cipherSuites
})()
func SupportedTLSCipherSuite(cipherSuite string) bool {
_, ok := supportedTLSCipherSuites[cipherSuite]
return ok
}
var SupportedTLSVersions = map[string]struct{}{
"TLS_AUTO": {},
"TLSv1_0": {},
"TLSv1_1": {},
"TLSv1_2": {},
"TLSv1_3": {},
}
var TLSVersionsWithConfigurableCipherSuites = map[string]struct{}{
// Remove these two if Envoy ever sets TLS 1.3 as default minimum
"": {},
"TLS_AUTO": {},
"TLSv1_0": {},
"TLSv1_1": {},
"TLSv1_2": {},
}