internal: ignore insecure TLS certs (#5483)

* servers: ignore insecure TLS certs * slight refactor to have a single place for tls config Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens Langhammer <jens@goauthentik.io>
2023-05-05 06:57:52 -06:00
parent b7b62ba089
commit ab795e6642
4 changed files with 36 additions and 16 deletions
--- a/internal/utils/tls.go
+++ b/internal/utils/tls.go
@ -0,0 +1,26 @@
+package utils
+
+import "crypto/tls"
+
+func GetTLSConfig() *tls.Config {
+	tlsConfig := &tls.Config{
+		MinVersion: tls.VersionTLS12,
+		MaxVersion: tls.VersionTLS12,
+	}
+
+	// Insecure SWEET32 attack ciphers, TLS config uses a fallback
+	insecureCiphersIds := []uint16{
+		tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+		tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+	}
+	defaultSecureCiphers := []uint16{}
+	for _, cs := range tls.CipherSuites() {
+		for _, icsId := range insecureCiphersIds {
+			if cs.ID != icsId {
+				defaultSecureCiphers = append(defaultSecureCiphers, cs.ID)
+			}
+		}
+	}
+	tlsConfig.CipherSuites = defaultSecureCiphers
+	return tlsConfig
+}