Merge: + DNS, Web: use only secure TLSv1.2 ciphers

Close #1384 Squashed commit of the following: commit cd90abcce573a8e930446ba153565e553e6b81d5 Author: Simon Zolin <s.zolin@adguard.com> Date: Fri Mar 20 19:17:53 2020 +0300 minor commit a1914c5f41425e82cdedc9716bce84470afab65b Merge: 72c53673 c8285c41 Author: Simon Zolin <s.zolin@adguard.com> Date: Fri Mar 20 19:17:21 2020 +0300 Merge remote-tracking branch 'origin/master' into 1384-tls12-ciphers commit 72c536737e0502bb397562ade47aedb9f2ae4494 Author: Simon Zolin <s.zolin@adguard.com> Date: Wed Mar 4 18:16:24 2020 +0300 + DNS, Web: use only secure TLSv1.2 ciphers
2020-03-23 10:23:34 +03:00
parent c8285c41d7
commit 06b3378fd7
5 changed files with 56 additions and 0 deletions
--- a/dnsforward/dnsforward.go
+++ b/dnsforward/dnsforward.go
@@ -186,6 +186,7 @@ type ServerConfig struct {
 	TLSAllowUnencryptedDOH bool

 	TLSv12Roots *x509.CertPool // list of root CAs for TLSv1.2
+	TLSCiphers  []uint16       // list of TLS ciphers to use

 	// Called when the configuration is changed by HTTP request
 	ConfigModified func()
@@ -348,6 +349,7 @@ func (s *Server) Prepare(config *ServerConfig) error {
 		}
 	}
 	upstream.RootCAs = s.conf.TLSv12Roots
+	upstream.CipherSuites = s.conf.TLSCiphers

 	if len(proxyConfig.Upstreams) == 0 {
 		log.Fatal("len(proxyConfig.Upstreams) == 0")