added support for User prefered Ciphers

ssrahul96 · Sep 22, 2022 · 59d18c6 · 59d18c6
1 parent 91bbb74
commit 59d18c6
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 2 deletions.
diff --git a/internal/aghtls/aghtls.go b/internal/aghtls/aghtls.go
@@ -1,7 +1,12 @@
 // Package aghtls contains utilities for work with TLS.
 package aghtls
 
-import "crypto/tls"
+import (
+	"crypto/tls"
+
+	"github.com/AdguardTeam/golibs/log"
+	"golang.org/x/exp/slices"
+)
 
 // SaferCipherSuites returns a set of default cipher suites with vulnerable and
 // weak cipher suites removed.
@@ -28,3 +33,14 @@ func SaferCipherSuites() (safe []uint16) {
 
 	return safe
 }
+
+func UserPreferedCipherSuites(ciphers []string) (userCiphers []uint16) {
+	for _, s := range tls.CipherSuites() {
+		if slices.Contains(ciphers, s.Name) {
+			userCiphers = append(userCiphers, s.ID)
+			log.Debug("user specified cipher : %s, ID : %d", s.Name, s.ID)
+		}
+	}
+
+	return userCiphers
+}
diff --git a/internal/dnsforward/config.go b/internal/dnsforward/config.go
@@ -165,6 +165,9 @@ type TLSConfig struct {
 	cert tls.Certificate
 	// DNS names from certificate (SAN) or CN value from Subject
 	dnsNames []string
+
+	// ciphers specified by user
+	TLSCiphers []string `yaml:"tls_ciphers" json:"-"`
 }
 
 // DNSCryptConfig is the DNSCrypt server configuration struct.

diff --git a/internal/home/home.go b/internal/home/home.go
@@ -366,6 +366,7 @@ func initWeb(args options, clientBuildFS fs.FS) (web *Web, err error) {
 
 		clientFS:     clientFS,
 		clientBetaFS: clientBetaFS,
+		tlsCiphers:   config.TLS.TLSCiphers,
 	}
 
 	web = CreateWeb(&webConf)

diff --git a/internal/home/web.go b/internal/home/web.go
@@ -58,6 +58,9 @@ type webConfig struct {
 	WriteTimeout time.Duration
 
 	firstRun bool
+
+	// ciphers specified by user
+	tlsCiphers []string
 }
 
 // HTTPSServer - HTTPS Server
@@ -269,6 +272,13 @@ func (web *Web) tlsServerLoop() {
 
 		web.httpsServer.cond.L.Unlock()
 
+		var cipher []uint16
+
+		if len(web.conf.tlsCiphers) == 0 {
+			cipher = aghtls.SaferCipherSuites()
+		} else {
+			cipher = aghtls.UserPreferedCipherSuites(web.conf.tlsCiphers)
+		}
 		// prepare HTTPS server
 		address := netutil.JoinHostPort(web.conf.BindHost.String(), web.conf.PortHTTPS)
 		web.httpsServer.server = &http.Server{
@@ -277,7 +287,7 @@ func (web *Web) tlsServerLoop() {
 			TLSConfig: &tls.Config{
 				Certificates: []tls.Certificate{web.httpsServer.cert},
 				RootCAs:      Context.tlsRoots,
-				CipherSuites: aghtls.SaferCipherSuites(),
+				CipherSuites: cipher,
 				MinVersion:   tls.VersionTLS12,
 			},
 			Handler:           withMiddlewares(Context.mux, limitRequestBody),