diff options
| author | bors[bot] <26634292+bors[bot]@users.noreply.github.com> | 2020-08-27 06:47:16 +0000 |
|---|---|---|
| committer | GitHub <[email protected]> | 2020-08-27 06:47:16 +0000 |
| commit | 88b394324165e3e16253c27552b0d4d7d6628a81 (patch) | |
| tree | 2bee7c5dad1ab95e33261e30cd086d49e37227ce /service/http/service.go | |
| parent | e706748e751a462d81a30de09bebf5ab27e696c2 (diff) | |
| parent | 863de7aee465b3c5d7d8628f52302f87ffb9c093 (diff) | |
Merge #353
353: Pci dss upgrade r=48d90782 a=48d90782
resolves #352
Co-authored-by: Valery Piashchynski <[email protected]>
Diffstat (limited to 'service/http/service.go')
| -rw-r--r-- | service/http/service.go | 59 |
1 files changed, 58 insertions, 1 deletions
diff --git a/service/http/service.go b/service/http/service.go index ba0c4b1c..25a10064 100644 --- a/service/http/service.go +++ b/service/http/service.go @@ -21,6 +21,7 @@ import ( "github.com/spiral/roadrunner/util" "golang.org/x/net/http2" "golang.org/x/net/http2/h2c" + "golang.org/x/sys/cpu" ) const ( @@ -311,11 +312,67 @@ func (s *Service) appendRootCa() error { // Init https server func (s *Service) initSSL() *http.Server { + var topCipherSuites []uint16 + var defaultCipherSuitesTLS13 []uint16 + + hasGCMAsmAMD64 := cpu.X86.HasAES && cpu.X86.HasPCLMULQDQ + hasGCMAsmARM64 := cpu.ARM64.HasAES && cpu.ARM64.HasPMULL + // Keep in sync with crypto/aes/cipher_s390x.go. + hasGCMAsmS390X := cpu.S390X.HasAES && cpu.S390X.HasAESCBC && cpu.S390X.HasAESCTR && (cpu.S390X.HasGHASH || cpu.S390X.HasAESGCM) + + hasGCMAsm := hasGCMAsmAMD64 || hasGCMAsmARM64 || hasGCMAsmS390X + + if hasGCMAsm { + // If AES-GCM hardware is provided then prioritise AES-GCM + // cipher suites. + topCipherSuites = []uint16{ + tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, + tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, + } + defaultCipherSuitesTLS13 = []uint16{ + tls.TLS_AES_128_GCM_SHA256, + tls.TLS_CHACHA20_POLY1305_SHA256, + tls.TLS_AES_256_GCM_SHA384, + } + } else { + // Without AES-GCM hardware, we put the ChaCha20-Poly1305 + // cipher suites first. + topCipherSuites = []uint16{ + tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, + tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, + tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + } + defaultCipherSuitesTLS13 = []uint16{ + tls.TLS_CHACHA20_POLY1305_SHA256, + tls.TLS_AES_128_GCM_SHA256, + tls.TLS_AES_256_GCM_SHA384, + } + } + + DefaultCipherSuites := make([]uint16, 0, 22) + DefaultCipherSuites = append(DefaultCipherSuites, topCipherSuites...) + DefaultCipherSuites = append(DefaultCipherSuites, defaultCipherSuitesTLS13...) + server := &http.Server{ Addr: s.tlsAddr(s.cfg.Address, true), Handler: s, TLSConfig: &tls.Config{ - MinVersion: tls.VersionTLS12, + CurvePreferences: []tls.CurveID{ + tls.CurveP256, + tls.CurveP384, + tls.CurveP521, + tls.X25519, + }, + CipherSuites: DefaultCipherSuites, + MinVersion: tls.VersionTLS12, + PreferServerCipherSuites: true, }, } s.throw(EventInitSSL, server) |