feat: add TLSModeServerStrict and add X25519 curve to default prefs

tlsconfig.go

@@ -7,15 +7,20 @@ import "crypto/tls"
 type TLSModeServer string
 
 const (
-	// TLSModeServerStrict - this is serious and we do not mind loosing clients
+	// TLSModeServerVeryStrict enforces the latest tls standard, and should be used for service to service communication.
+	TLSModeServerVeryStrict TLSModeServer = "very-strict"
+
+	// TLSModeServerStrict - we do not mind loosing clients due to lacking support for modern tls versions
 	// (= Mozilla "modern" compatibility). Compatible clients have versions
 	// equal or greater than Firefox 27, Chrome 22, IE 11, Opera 14, Safari 7,
 	// Android 4.4, Java 8
-	TLSModeServerStrict TLSModeServer = "strict"
+	TLSModeServerStrict = "strict"
+
 	// TLSModeServerLoose - ecommerce compromise
 	// Compatible clients (>=): Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1,
 	// Windows XP IE8, Android 2.3, Java 7
 	TLSModeServerLoose = "loose"
+
 	// TLSModeServerDefault - standard crypto/tls.Config untouched
 	// highly compatible and insecure
 	TLSModeServerDefault = "default"
@@ -49,6 +54,7 @@ func NewServerTLSConfig(mode TLSModeServer) *tls.Config {
 			tls.CurveP256,
 			tls.CurveP384,
 			tls.CurveP521,
+			tls.X25519,
 		}
 	case TLSModeServerStrict:
 		c.MinVersion = tls.VersionTLS12
@@ -64,6 +70,17 @@ func NewServerTLSConfig(mode TLSModeServer) *tls.Config {
 			tls.CurveP256,
 			tls.CurveP384,
 			tls.CurveP521,
+			tls.X25519,
+		}
+	case TLSModeServerVeryStrict:
+		c.MinVersion = tls.VersionTLS13
+		// CipherSuites is a list of enabled TLS 1.0–1.2 cipher suites. The order of
+		// the list is ignored. Note that TLS 1.3 ciphersuites are not configurable.
+		c.CipherSuites = []uint16{}
+		c.CurvePreferences = []tls.CurveID{
+			tls.CurveP384,
+			tls.CurveP521,
+			tls.X25519,
 		}
 	}
 	return c