Mirrors/coredns
1
0
Fork 0
mirror of https://github.com/coredns/coredns.git synced 2025-10-31 10:13:14 -04:00
Code Issues Packages Projects Releases Wiki Activity

Harden tls on all places (#5184)

Browse Source 
PR 2938 hardens tls though there are other places that uses TLS
as well and setTLSDefaults are not invoked in other paths.

This PR hardens tls on all places.

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This commit is contained in:
Yong Tang
2022-02-17 12:26:08 -08:00
committed by GitHub
parent f8a02aaf58
commit c0c72e5894
2 changed files with 24 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
plugin/tls/tls.go
View File

@@ -19,22 +19,6 @@ func setup(c *caddy.Controller) error {
return nil
}
func setTLSDefaults(tls *ctls.Config) {
tls.MinVersion = ctls.VersionTLS12
tls.MaxVersion = ctls.VersionTLS13
tls.CipherSuites = []uint16{
ctls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
ctls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
ctls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
ctls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
ctls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
ctls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
ctls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
ctls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
ctls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
}
}
func parseTLS(c *caddy.Controller) error {
config := dnsserver.GetConfig(c)
@@ -81,8 +65,6 @@ func parseTLS(c *caddy.Controller) error {
// NewTLSConfigFromArgs only sets RootCAs, so we need to let ClientCAs refer to it.
tls.ClientCAs = tls.RootCAs
setTLSDefaults(tls)
config.TLSConfig = tls
}
return nil