diff --git a/CHANGELOG.md b/CHANGELOG.md index 35b3a2590d4..06535d8db97 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,15 @@ and this project adheres to ## [Unreleased] + +### Added + +- The new optional `tls.override_tls_ciphers` property list, which can be set in + the configuration file. It allows overriding TLS Ciphers that are used for + https listeners ([#4925]) + +[#4925]: https://github.com/AdguardTeam/AdGuardHome/issues/4925 + @@ -24,15 +33,6 @@ See also the [v0.107.16 GitHub milestone][ms-v0.107.15]. [ms-v0.107.16]: https://github.com/AdguardTeam/AdGuardHome/milestone/52?closed= -### Added - -- The new optional `tls.override_tls_ciphers` property list, which can be set in - the configuration file. It allows overriding TLS Ciphers that are used for - https listeners ([#4925]) - -[#4925]: https://github.com/AdguardTeam/AdGuardHome/issues/4925 - - --> diff --git a/internal/aghtls/aghtls.go b/internal/aghtls/aghtls.go index 4bd20a01dcf..708d659932f 100644 --- a/internal/aghtls/aghtls.go +++ b/internal/aghtls/aghtls.go @@ -3,9 +3,7 @@ package aghtls import ( "crypto/tls" - - "github.com/AdguardTeam/golibs/log" - "golang.org/x/exp/slices" + "fmt" ) // SaferCipherSuites returns a set of default cipher suites with vulnerable and @@ -35,15 +33,26 @@ func SaferCipherSuites() (safe []uint16) { } // ParseCipherIDs returns a set of cipher suites with the cipher names provided -func ParseCipherIDs(ciphers []string) (userCiphers []uint16) { - for _, s := range tls.CipherSuites() { - if slices.Contains(ciphers, s.Name) { - userCiphers = append(userCiphers, s.ID) - log.Debug("user specified cipher : %s, ID : %d", s.Name, s.ID) +func ParseCipherIDs(ciphers []string) (userCiphers []uint16, err error) { + for _, cipher := range ciphers { + exists, cipherID := CipherExists(cipher) + if exists { + userCiphers = append(userCiphers, cipherID) } else { - log.Error("unknown cipher : %s ", s) + return nil, fmt.Errorf("unknown cipher : %s ", cipher) + } + } + + return userCiphers, nil +} + +// CipherExists returns cipherid if exists, else return false in boolean +func CipherExists(cipher string) (exists bool, cipherID uint16) { + for _, s := range tls.CipherSuites() { + if s.Name == cipher { + return true, s.ID } } - return userCiphers + return false, 0 } diff --git a/internal/home/home.go b/internal/home/home.go index fad2c695062..49e348a5629 100644 --- a/internal/home/home.go +++ b/internal/home/home.go @@ -369,6 +369,11 @@ func initWeb(args options, clientBuildFS fs.FS) (web *Web, err error) { } } + tlsCiphers, err := getTLSCiphers() + if err != nil { + return nil, err + } + webConf := webConfig{ firstRun: Context.firstRun, BindHost: config.BindHost, @@ -383,7 +388,7 @@ func initWeb(args options, clientBuildFS fs.FS) (web *Web, err error) { clientBetaFS: clientBetaFS, serveHTTP3: config.DNS.ServeHTTP3, - tlsCiphers: getTLSCiphers(), + tlsCiphers: tlsCiphers, } web = newWeb(&webConf) @@ -889,15 +894,13 @@ type jsonError struct { Message string `json:"message"` } -// getTLSCiphers check for overriden tls ciphers, if the slice is +// getTLSCiphers check for overridden tls ciphers, if the slice is // empty, then default safe ciphers are used -func getTLSCiphers() []uint16 { - var cipher []uint16 - +func getTLSCiphers() (cipherIds []uint16, err error) { if len(config.TLS.OverrideTLSCiphers) == 0 { - cipher = aghtls.SaferCipherSuites() + return aghtls.SaferCipherSuites(), nil } else { - cipher = aghtls.ParseCipherIDs(config.TLS.OverrideTLSCiphers) + log.Info("Overriding TLS Ciphers : %s", config.TLS.OverrideTLSCiphers) + return aghtls.ParseCipherIDs(config.TLS.OverrideTLSCiphers) } - return cipher } diff --git a/internal/home/web.go b/internal/home/web.go index 5ece281983f..9a94bead5ab 100644 --- a/internal/home/web.go +++ b/internal/home/web.go @@ -33,7 +33,6 @@ const ( ) type webConfig struct { - // Ciphers that are used for https listener tlsCiphers []uint16