Use secure cipher suites for tls by default (#380)

stingshen · web-flow · commit 17d6f4142d2e · 2023-12-29T01:48:50.000-05:00
diff --git a/auth_server/main.go b/auth_server/main.go
@@ -64,9 +64,7 @@ func ServeOnce(c *server.Config, cf string) (*server.AuthServer, *http.Server) {
 		glog.Exitf("Failed to create auth server: %s", err)
 	}
 
-	tlsConfig := &tls.Config{
-		PreferServerCipherSuites: true,
-	}
+	tlsConfig := &tls.Config{}
 	if c.Server.HSTS {
 		glog.Info("HTTP Strict Transport Security enabled")
 	}
@@ -101,6 +99,10 @@ func ServeOnce(c *server.Config, cf string) (*server.AuthServer, *http.Server) {
 		}
 		tlsConfig.CipherSuites = values
 		glog.Infof("TLS CipherSuites: %s", c.Server.TLSCipherSuites)
+	} else {
+		for _, s := range tls.CipherSuites() {
+			tlsConfig.CipherSuites = append(tlsConfig.CipherSuites, s.ID)
+		}
 	}
 	if c.Server.CertFile != "" || c.Server.KeyFile != "" {
 		// Check for partial configuration.

Original file line number	Diff line number	Diff line change
`@@ -64,9 +64,7 @@ func ServeOnce(c server.Config, cf string) (server.AuthServer, *http.Server) {`
`64`	`64`	`glog.Exitf("Failed to create auth server: %s", err)`
`65`	`65`	`}`
`66`	`66`
`67`		`- tlsConfig := &tls.Config{`
`68`		`- PreferServerCipherSuites: true,`
`69`		`- }`
	`67`	`+ tlsConfig := &tls.Config{}`
`70`	`68`	`if c.Server.HSTS {`
`71`	`69`	`glog.Info("HTTP Strict Transport Security enabled")`
`72`	`70`	`}`
`@@ -101,6 +99,10 @@ func ServeOnce(c server.Config, cf string) (server.AuthServer, *http.Server) {`
`101`	`99`	`}`
`102`	`100`	`tlsConfig.CipherSuites = values`
`103`	`101`	`glog.Infof("TLS CipherSuites: %s", c.Server.TLSCipherSuites)`
	`102`	`+ } else {`
	`103`	`+ for _, s := range tls.CipherSuites() {`
	`104`	`+ tlsConfig.CipherSuites = append(tlsConfig.CipherSuites, s.ID)`
	`105`	`+ }`
`104`	`106`	`}`
`105`	`107`	`if c.Server.CertFile != "" \|\| c.Server.KeyFile != "" {`
`106`	`108`	`// Check for partial configuration.`