MCPcopy Index your code
hub / github.com/coder/coder / configureCipherSuites

Function configureCipherSuites

cli/server.go:1852–1932  ·  view source on GitHub ↗

nolint:revive

(ctx context.Context, logger slog.Logger, ciphers []string, allowInsecureCiphers bool, minTLS, maxTLS uint16)

Source from the content-addressed store, hash-verified

1850
1851//nolint:revive
1852func configureCipherSuites(ctx context.Context, logger slog.Logger, ciphers []string, allowInsecureCiphers bool, minTLS, maxTLS uint16) ([]uint16, error) {
1853 if minTLS > maxTLS {
1854 return nil, xerrors.Errorf("minimum tls version (%s) cannot be greater than maximum tls version (%s)", versionName(minTLS), versionName(maxTLS))
1855 }
1856 if minTLS >= tls.VersionTLS13 {
1857 // The cipher suites config option is ignored for tls 1.3 and higher.
1858 // So this user flag is a no-op if the min version is 1.3.
1859 return nil, xerrors.Errorf("'--tls-ciphers' cannot be specified when using minimum tls version 1.3 or higher, %d ciphers found as input.", len(ciphers))
1860 }
1861 // Configure the cipher suites which parses the strings and converts them
1862 // to golang cipher suites.
1863 supported, err := parseTLSCipherSuites(ciphers)
1864 if err != nil {
1865 return nil, xerrors.Errorf("tls ciphers: %w", err)
1866 }
1867
1868 // allVersions is all tls versions the server supports.
1869 // We enumerate these to ensure if ciphers are configured, at least
1870 // 1 cipher for each version exists.
1871 allVersions := make(map[uint16]bool)
1872 for v := minTLS; v <= maxTLS; v++ {
1873 allVersions[v] = false
1874 }
1875
1876 var insecure []string
1877 cipherIDs := make([]uint16, 0, len(supported))
1878 for _, cipher := range supported {
1879 if cipher.Insecure {
1880 // Always show this warning, even if they have allowInsecureCiphers
1881 // specified.
1882 logger.Warn(ctx, "insecure tls cipher specified for server use", slog.F("cipher", cipher.Name))
1883 insecure = append(insecure, cipher.Name)
1884 }
1885
1886 // This is a warning message to tell the user if they are specifying
1887 // a cipher that does not support the tls versions they have specified.
1888 // This makes the cipher essentially a "noop" cipher.
1889 if !hasSupportedVersion(minTLS, maxTLS, cipher.SupportedVersions) {
1890 versions := make([]string, 0, len(cipher.SupportedVersions))
1891 for _, sv := range cipher.SupportedVersions {
1892 versions = append(versions, versionName(sv))
1893 }
1894 logger.Warn(ctx, "cipher not supported for tls versions enabled, cipher will not be used",
1895 slog.F("cipher", cipher.Name),
1896 slog.F("cipher_supported_versions", strings.Join(versions, ",")),
1897 slog.F("server_min_version", versionName(minTLS)),
1898 slog.F("server_max_version", versionName(maxTLS)),
1899 )
1900 }
1901
1902 for _, v := range cipher.SupportedVersions {
1903 allVersions[v] = true
1904 }
1905
1906 cipherIDs = append(cipherIDs, cipher.ID)
1907 }
1908
1909 if len(insecure) > 0 && !allowInsecureCiphers {

Callers 2

configureServerTLSFunction · 0.85

Calls 4

versionNameFunction · 0.85
parseTLSCipherSuitesFunction · 0.85
hasSupportedVersionFunction · 0.85
ErrorfMethod · 0.45

Tested by 1