ab795e6642
* servers: ignore insecure TLS certs * slight refactor to have a single place for tls config Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens Langhammer <jens@goauthentik.io>
27 lines
632 B
Go
27 lines
632 B
Go
package utils
|
|
|
|
import "crypto/tls"
|
|
|
|
func GetTLSConfig() *tls.Config {
|
|
tlsConfig := &tls.Config{
|
|
MinVersion: tls.VersionTLS12,
|
|
MaxVersion: tls.VersionTLS12,
|
|
}
|
|
|
|
// Insecure SWEET32 attack ciphers, TLS config uses a fallback
|
|
insecureCiphersIds := []uint16{
|
|
tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
|
|
tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
|
|
}
|
|
defaultSecureCiphers := []uint16{}
|
|
for _, cs := range tls.CipherSuites() {
|
|
for _, icsId := range insecureCiphersIds {
|
|
if cs.ID != icsId {
|
|
defaultSecureCiphers = append(defaultSecureCiphers, cs.ID)
|
|
}
|
|
}
|
|
}
|
|
tlsConfig.CipherSuites = defaultSecureCiphers
|
|
return tlsConfig
|
|
}
|