Add tls option for Elliptic Curve Preferences

2019-11-03 15:54:04 +01:00 · 2019-11-03 15:54:04 +01:00 · 5a3e325742
commit 5a3e325742
parent c5ec12cd56
10 changed files with 104 additions and 15 deletions
--- a/pkg/tls/tlsmanager.go
+++ b/pkg/tls/tlsmanager.go
@ -211,7 +211,7 @@ func buildTLSConfig(tlsOption Options) (*tls.Config, error) {
 		}
 	}

-	// Set the minimum TLS version if set in the config TOML
+	// Set the minimum TLS version if set in the config
 	if minConst, exists := MinVersion[tlsOption.MinVersion]; exists {
 		conf.PreferServerCipherSuites = true
 		conf.MinVersion = minConst
@ -223,7 +223,7 @@ func buildTLSConfig(tlsOption Options) (*tls.Config, error) {
 		conf.MaxVersion = maxConst
 	}

-	// Set the list of CipherSuites if set in the config TOML
+	// Set the list of CipherSuites if set in the config
 	if tlsOption.CipherSuites != nil {
 		// if our list of CipherSuites is defined in the entryPoint config, we can re-initialize the suites list as empty
 		conf.CipherSuites = make([]uint16, 0)
@ -237,6 +237,20 @@ func buildTLSConfig(tlsOption Options) (*tls.Config, error) {
 		}
 	}

+	// Set the list of CurvePreferences/CurveIDs if set in the config
+	if tlsOption.CurvePreferences != nil {
+		conf.CurvePreferences = make([]tls.CurveID, 0)
+		// if our list of CurvePreferences/CurveIDs is defined in the config, we can re-initialize the list as empty
+		for _, curve := range tlsOption.CurvePreferences {
+			if curveID, exists := CurveIDs[curve]; exists {
+				conf.CurvePreferences = append(conf.CurvePreferences, curveID)
+			} else {
+				// CurveID listed in the toml does not exist in our listed
+				return nil, fmt.Errorf("invalid CurveID in curvePreferences: %s", curve)
+			}
+		}
+	}
+
 	return conf, nil
 }