tlsconfig/tlsconfig.go

// Package tlsconfig is a lightweight tls configuration package.
package tlsconfig

import "crypto/tls"

// TLSModeServer a type to define server tls config
type TLSModeServer string

const (
	// TLSModeServerVeryStrict enforces the latest tls standard, and should be used for service to service communication.
	TLSModeServerVeryStrict TLSModeServer = "very-strict"

	// TLSModeServerStrict - we do not mind loosing clients due to lacking support for modern tls versions
	// (= Mozilla "modern" compatibility). Compatible clients have versions
	// equal or greater than Firefox 27, Chrome 22, IE 11, Opera 14, Safari 7,
	// Android 4.4, Java 8
	TLSModeServerStrict = "strict"

	// TLSModeServerLoose - ecommerce compromise
	// Compatible clients (>=): Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1,
	// Windows XP IE8, Android 2.3, Java 7
	TLSModeServerLoose = "loose"

	// TLSModeServerDefault - standard crypto/tls.Config untouched
	// highly compatible and insecure
	TLSModeServerDefault = "default"
)

// NewServerTLSConfig - server tls config
func NewServerTLSConfig(mode TLSModeServer) *tls.Config {
	c := &tls.Config{}
	switch mode {
	case TLSModeServerDefault:
		// will not touch this one, but trust the golang team
	case TLSModeServerLoose:
		c.MinVersion = tls.VersionTLS10
		c.CipherSuites = []uint16{
			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
			tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
			tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
			tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
			tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
			tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
			tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
			tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
			tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
			tls.TLS_RSA_WITH_AES_128_CBC_SHA,
			tls.TLS_RSA_WITH_AES_256_CBC_SHA,
		}
		c.CurvePreferences = []tls.CurveID{
			tls.CurveP256,
			tls.CurveP384,
			tls.CurveP521,
			tls.X25519,
		}
	case TLSModeServerStrict:
		c.MinVersion = tls.VersionTLS12
		c.CipherSuites = []uint16{
			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
			tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
			tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
		}
		c.CurvePreferences = []tls.CurveID{
			tls.CurveP256,
			tls.CurveP384,
			tls.CurveP521,
			tls.X25519,
		}
	case TLSModeServerVeryStrict:
		c.MinVersion = tls.VersionTLS13
		// CipherSuites is a list of enabled TLS 1.0–1.2 cipher suites. The order of
		// the list is ignored. Note that TLS 1.3 ciphersuites are not configurable.
		c.CipherSuites = []uint16{}
		c.CurvePreferences = []tls.CurveID{
			tls.CurveP384,
			tls.CurveP521,
			tls.X25519,
		}
	}
	return c
}