From 6e7a5f56779c4ff1b317a98c5c8a1e9b472cab15 Mon Sep 17 00:00:00 2001
From: bcebere <bogdan.cebere@gmail.com>
Date: Fri, 28 Jun 2019 14:03:34 +0300
Subject: [PATCH] TLS hardening (#2938)

Automatically submitted.
---
 plugin/tls/tls.go | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/plugin/tls/tls.go b/plugin/tls/tls.go
index cde543ea0..e87f802ec 100644
--- a/plugin/tls/tls.go
+++ b/plugin/tls/tls.go
@@ -25,6 +25,23 @@ func setup(c *caddy.Controller) error {
 	return nil
 }
 
+func setTLSDefaults(tls *ctls.Config) {
+	tls.MinVersion = ctls.VersionTLS12
+	tls.MaxVersion = ctls.VersionTLS13
+	tls.CipherSuites = []uint16{
+		ctls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+		ctls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+		ctls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+		ctls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+		ctls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+		ctls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+		ctls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+		ctls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+		ctls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+	}
+	tls.PreferServerCipherSuites = true
+}
+
 func parseTLS(c *caddy.Controller) error {
 	config := dnsserver.GetConfig(c)
 
@@ -70,6 +87,9 @@ func parseTLS(c *caddy.Controller) error {
 		tls.ClientAuth = clientAuth
 		// NewTLSConfigFromArgs only sets RootCAs, so we need to let ClientCAs refer to it.
 		tls.ClientCAs = tls.RootCAs
+
+		setTLSDefaults(tls)
+
 		config.TLSConfig = tls
 	}
 	return nil