Skip to content

C
Coredns
Commit 6e7a5f56 authored by bcebere's avatar bcebere Committed by corbot[bot]
Browse files
Options

TLS hardening (#2938) 

Automatically submitted.
parent 41661b08
Hide whitespace changes
Inline Side-by-side
Showing with 20 additions and 0 deletions
plugin/tls/tls.go
View file @ 6e7a5f56
...@@ -25,6 +25,23 @@ func setup(c *caddy.Controller) error { ...@@ -25,6 +25,23 @@ func setup(c *caddy.Controller) error {
return nil return nil
} }
func setTLSDefaults(tls *ctls.Config) {
tls.MinVersion = ctls.VersionTLS12
tls.MaxVersion = ctls.VersionTLS13
tls.CipherSuites = []uint16{
ctls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
ctls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
ctls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
ctls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
ctls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
ctls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
ctls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
ctls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
ctls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
}
tls.PreferServerCipherSuites = true
}
func parseTLS(c *caddy.Controller) error { func parseTLS(c *caddy.Controller) error {
config := dnsserver.GetConfig(c) config := dnsserver.GetConfig(c)
...@@ -70,6 +87,9 @@ func parseTLS(c *caddy.Controller) error { ...@@ -70,6 +87,9 @@ func parseTLS(c *caddy.Controller) error {
tls.ClientAuth = clientAuth tls.ClientAuth = clientAuth
// NewTLSConfigFromArgs only sets RootCAs, so we need to let ClientCAs refer to it. // NewTLSConfigFromArgs only sets RootCAs, so we need to let ClientCAs refer to it.
tls.ClientCAs = tls.RootCAs tls.ClientCAs = tls.RootCAs
setTLSDefaults(tls)
config.TLSConfig = tls config.TLSConfig = tls
} }
return nil return nil
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment