mirror of
https://github.com/ergochat/ergo.git
synced 2024-11-11 06:29:29 +01:00
parent
eb2dfa78c9
commit
1a5d079670
@ -58,6 +58,8 @@ server:
|
|||||||
# always send a PROXY protocol header ahead of the connection. See the
|
# always send a PROXY protocol header ahead of the connection. See the
|
||||||
# manual ("Reverse proxies") for more details.
|
# manual ("Reverse proxies") for more details.
|
||||||
proxy: false
|
proxy: false
|
||||||
|
# set the minimum TLS version:
|
||||||
|
min-tls-version: 1.2
|
||||||
|
|
||||||
# Example of a Unix domain socket for proxying:
|
# Example of a Unix domain socket for proxying:
|
||||||
# "/tmp/oragono_sock":
|
# "/tmp/oragono_sock":
|
||||||
|
@ -59,6 +59,7 @@ type listenerConfigBlock struct {
|
|||||||
TLS TLSListenConfig
|
TLS TLSListenConfig
|
||||||
// SNI configuration, with multiple certificates:
|
// SNI configuration, with multiple certificates:
|
||||||
TLSCertificates []TLSListenConfig `yaml:"tls-certificates"`
|
TLSCertificates []TLSListenConfig `yaml:"tls-certificates"`
|
||||||
|
MinTLSVersion string `yaml:"min-tls-version"`
|
||||||
Proxy bool
|
Proxy bool
|
||||||
Tor bool
|
Tor bool
|
||||||
STSOnly bool `yaml:"sts-only"`
|
STSOnly bool `yaml:"sts-only"`
|
||||||
@ -881,10 +882,29 @@ func loadTlsConfig(config listenerConfigBlock) (tlsConfig *tls.Config, err error
|
|||||||
result := tls.Config{
|
result := tls.Config{
|
||||||
Certificates: certificates,
|
Certificates: certificates,
|
||||||
ClientAuth: clientAuth,
|
ClientAuth: clientAuth,
|
||||||
|
MinVersion: tlsMinVersionFromString(config.MinTLSVersion),
|
||||||
}
|
}
|
||||||
return &result, nil
|
return &result, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func tlsMinVersionFromString(version string) uint16 {
|
||||||
|
version = strings.ToLower(version)
|
||||||
|
version = strings.TrimPrefix(version, "v")
|
||||||
|
switch version {
|
||||||
|
case "1", "1.0":
|
||||||
|
return tls.VersionTLS10
|
||||||
|
case "1.1":
|
||||||
|
return tls.VersionTLS11
|
||||||
|
case "1.2":
|
||||||
|
return tls.VersionTLS12
|
||||||
|
case "1.3":
|
||||||
|
return tls.VersionTLS13
|
||||||
|
default:
|
||||||
|
// tls package will fill in a sane value, currently 1.0
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
func loadCertWithLeaf(certFile, keyFile string) (cert tls.Certificate, err error) {
|
func loadCertWithLeaf(certFile, keyFile string) (cert tls.Certificate, err error) {
|
||||||
// LoadX509KeyPair: "On successful return, Certificate.Leaf will be nil because
|
// LoadX509KeyPair: "On successful return, Certificate.Leaf will be nil because
|
||||||
// the parsed form of the certificate is not retained." tls.Config:
|
// the parsed form of the certificate is not retained." tls.Config:
|
||||||
|
@ -32,6 +32,8 @@ server:
|
|||||||
# always send a PROXY protocol header ahead of the connection. See the
|
# always send a PROXY protocol header ahead of the connection. See the
|
||||||
# manual ("Reverse proxies") for more details.
|
# manual ("Reverse proxies") for more details.
|
||||||
proxy: false
|
proxy: false
|
||||||
|
# optionally set the minimum TLS version (defaults to 1.0):
|
||||||
|
# min-tls-version: 1.2
|
||||||
|
|
||||||
# Example of a Unix domain socket for proxying:
|
# Example of a Unix domain socket for proxying:
|
||||||
# "/tmp/oragono_sock":
|
# "/tmp/oragono_sock":
|
||||||
|
Loading…
Reference in New Issue
Block a user