Inicio Explorar Axuda
Rexistro Iniciar sesión
publics
/
net
0
0
Fork 0
Ficheiros Incidencias 0 Pull Requests 0 Wiki
Explorar o código

http2: require either ECDSA or RSA ciphersuite

The HTTP/2 RFC does indeed mandate TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
but in practice, people are also using TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
becuase they are only using an ECDSA certificate. This is the case in acme/autocert.

It doesn't make sense to enforce only RSA in cipher suites if it will
never be used because they are using a ECDSA certificate.

Change-Id: I86dac192a3eb9b74e4268310a3b550b3bd88a37f
Reviewed-on: https://go-review.googlesource.com/30721
Reviewed-by: Tom Bergan <tombergan@google.com>
Run-TryBot: Tom Bergan <tombergan@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Anmol Sethi %!s(int64=9) %!d(string=hai) anos
pai
01c190206f
achega
a337091b05
Modificáronse 2 ficheiros con 14 adicións e 5 borrados
Dividir vista Mostrar estatísticas de Diff
  1. 7 4
      http2/server.go
  2. 7 1
      http2/server_test.go

+ 7 - 4
http2/server.go
Ver ficheiro 

@@ -220,12 +220,15 @@ func ConfigureServer(s *http.Server, conf *Server) error {
 
 	} else if s.TLSConfig.CipherSuites != nil {
 
 		// If they already provided a CipherSuite list, return
 
 		// an error if it has a bad order or is missing
 
-		// ECDHE_RSA_WITH_AES_128_GCM_SHA256.
 
-		const requiredCipher = tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
 
+		// ECDHE_RSA_WITH_AES_128_GCM_SHA256 or ECDHE_ECDSA_WITH_AES_128_GCM_SHA256.
 
 		haveRequired := false
 
 		sawBad := false
 
 		for i, cs := range s.TLSConfig.CipherSuites {
 
-			if cs == requiredCipher {
 
+			switch cs {
 
+			case tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
 
+				// Alternative MTI cipher to not discourage ECDSA-only servers.
 
+				// See http://golang.org/cl/30721 for further information.
 
+				tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
 
 				haveRequired = true
 
 			}
 
 			if isBadCipher(cs) {
 
@@ -235,7 +238,7 @@ func ConfigureServer(s *http.Server, conf *Server) error {
 
 			}
 
 		}
 
 		if !haveRequired {
 
-			return fmt.Errorf("http2: TLSConfig.CipherSuites is missing HTTP/2-required TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256")
 
+			return fmt.Errorf("http2: TLSConfig.CipherSuites is missing an HTTP/2-required AES_128_GCM_SHA256 cipher.")
 
 		}
 
 	}

+ 7 - 1
http2/server_test.go
Ver ficheiro 

@@ -3189,12 +3189,18 @@ func TestConfigureServer(t *testing.T) {
 
 				CipherSuites: []uint16{tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
 
 			},
 
 		},
 
+		{
 
+			name: "just the alternative required cipher suite",
 
+			tlsConfig: &tls.Config{
 
+				CipherSuites: []uint16{tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
 
+			},
 
+		},
 
 		{
 
 			name: "missing required cipher suite",
 
 			tlsConfig: &tls.Config{
 
 				CipherSuites: []uint16{tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384},
 
 			},
 
-			wantErr: "is missing HTTP/2-required TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
 
+			wantErr: "is missing an HTTP/2-required AES_128_GCM_SHA256 cipher.",
 
 		},
 
 		{
 
 			name: "required after bad",