Use very strong ciphers (#4116)

* Use very strong ciphers * Remove TLS_RSA_WITH_AES_256_GCM_SHA384 to be compatible with Go 1.5
author: Aaron Wood <aaronjwood@gmail.com> 2017-02-12 19:12:07 -0500
committer: 无闻 <u@gogs.io> 2017-02-12 19:12:07 -0500
commit: 68ead67a6330953ae3ec3b78b85adae8da4bedf7 (patch)
tree: d5645bd1f3ad4956e153bbaada2389d49b1fb265
parent: 2d38b754001628718c16deef7b3a737a1ac4ab67 (diff)
1 files changed, 11 insertions, 1 deletions
diff --git a/cmd/web.go b/cmd/web.go
index 792d8b67..b0277c25 100644
--- a/cmd/web.go
+++ b/cmd/web.go
@@ -663,7 +663,17 @@ func runWeb(ctx *cli.Context) error {
 	case setting.SCHEME_HTTP:
 		err = http.ListenAndServe(listenAddr, m)
 	case setting.SCHEME_HTTPS:
-		server := &http.Server{Addr: listenAddr, TLSConfig: &tls.Config{MinVersion: tls.VersionTLS10}, Handler: m}
+		server := &http.Server{Addr: listenAddr, TLSConfig: &tls.Config{
+			MinVersion:               tls.VersionTLS10,
+			CurvePreferences:         []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
+			PreferServerCipherSuites: true,
+			CipherSuites: []uint16{
+				tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+				tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, // Required for HTTP/2 support.
+				tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+				tls.TLS_RSA_WITH_AES_256_CBC_SHA,
+			},
+		}, Handler: m}
 		err = server.ListenAndServeTLS(setting.CertFile, setting.KeyFile)
 	case setting.SCHEME_FCGI:
 		err = fcgi.Serve(nil, m)
author	Aaron Wood <aaronjwood@gmail.com>	2017-02-12 19:12:07 -0500
committer	无闻 <u@gogs.io>	2017-02-12 19:12:07 -0500
commit	68ead67a6330953ae3ec3b78b85adae8da4bedf7 (patch)
tree	d5645bd1f3ad4956e153bbaada2389d49b1fb265
parent	2d38b754001628718c16deef7b3a737a1ac4ab67 (diff)