Mirrors/coredns
1
0
Fork 0
mirror of https://github.com/coredns/coredns.git synced 2025-10-28 00:34:24 -04:00
Code Issues Packages Projects Releases Wiki Activity

TLS hardening (#2938)

Browse Source 
Automatically submitted.
This commit is contained in:
bcebere
2019-06-28 14:03:34 +03:00
committed by corbot[bot]
parent 41661b0848
commit 6e7a5f5677
1 changed files with 20 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
plugin/tls/tls.go
View File

@@ -25,6 +25,23 @@ func setup(c *caddy.Controller) error {
return nil
}
func setTLSDefaults(tls *ctls.Config) {
tls.MinVersion = ctls.VersionTLS12
tls.MaxVersion = ctls.VersionTLS13
tls.CipherSuites = []uint16{
ctls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
ctls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
ctls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
ctls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
ctls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
ctls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
ctls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
ctls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
ctls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
}
tls.PreferServerCipherSuites = true
}
func parseTLS(c *caddy.Controller) error {
config := dnsserver.GetConfig(c)
@@ -70,6 +87,9 @@ func parseTLS(c *caddy.Controller) error {
tls.ClientAuth = clientAuth
// NewTLSConfigFromArgs only sets RootCAs, so we need to let ClientCAs refer to it.
tls.ClientCAs = tls.RootCAs
setTLSDefaults(tls)
config.TLSConfig = tls
}
return nil