http: harden http server for public net - closes #334

ory · Jan 2, 2017 · 2d2554b · 2d2554b
1 parent a887ad6
commit 2d2554b
Showing 1 changed file with 22 additions and 2 deletions.
diff --git a/cmd/server/handler.go b/cmd/server/handler.go
@@ -62,9 +62,29 @@ func RunHost(c *config.Config) func(cmd *cobra.Command, args []string) {
 				Certificates: []tls.Certificate{
 					getOrCreateTLSCertificate(cmd, c),
 				},
+				PreferServerCipherSuites: true,
+				CurvePreferences: []tls.CurveID{
+					tls.CurveP256,
+					// tls.X25519, // Go 1.8 only
+				},
+				MinVersion: tls.VersionTLS12,
+				CipherSuites: []uint16{
+					tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+					tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+					// tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, // Go 1.8 only
+					// tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,   // Go 1.8 only
+					tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+					tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+
+					// Best disabled, as they don't provide Forward Secrecy,
+					// but might be necessary for some clients
+					// tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
+					// tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
+				},
 			},
-			ReadTimeout:  time.Second * 5,
-			WriteTimeout: time.Second * 10,
+			ReadTimeout:  5 * time.Second,
+			WriteTimeout: 10 * time.Second,
+			// IdleTimeout:  120 * time.Second, // Go 1.8 only
 		}
 
 		var err error