authentik/internal/utils/tls.go

package utils

import "crypto/tls"

func GetTLSConfig() *tls.Config {
	tlsConfig := &tls.Config{
		MinVersion: tls.VersionTLS12,
		MaxVersion: tls.VersionTLS12,
	}

	// Insecure SWEET32 attack ciphers, TLS config uses a fallback
	insecureCiphersIds := []uint16{
		tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
		tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
	}
	defaultSecureCiphers := []uint16{}
	for _, cs := range tls.CipherSuites() {
		for _, icsId := range insecureCiphersIds {
			if cs.ID != icsId {
				defaultSecureCiphers = append(defaultSecureCiphers, cs.ID)
			}
		}
	}
	tlsConfig.CipherSuites = defaultSecureCiphers
	return tlsConfig
}
internal: ignore insecure TLS certs (#5483) * servers: ignore insecure TLS certs * slight refactor to have a single place for tls config Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens Langhammer <jens@goauthentik.io> 2023-05-05 12:57:52 +00:00			`package utils`

			`import "crypto/tls"`

			`func GetTLSConfig() *tls.Config {`
			`tlsConfig := &tls.Config{`
			`MinVersion: tls.VersionTLS12,`
			`MaxVersion: tls.VersionTLS12,`
			`}`

			`// Insecure SWEET32 attack ciphers, TLS config uses a fallback`
			`insecureCiphersIds := []uint16{`
			`tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,`
			`tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,`
			`}`
			`defaultSecureCiphers := []uint16{}`
			`for _, cs := range tls.CipherSuites() {`
			`for _, icsId := range insecureCiphersIds {`
			`if cs.ID != icsId {`
			`defaultSecureCiphers = append(defaultSecureCiphers, cs.ID)`
			`}`
			`}`
			`}`
			`tlsConfig.CipherSuites = defaultSecureCiphers`
			`return tlsConfig`
			`}`