nolint:revive
(ctx context.Context, logger slog.Logger, ciphers []string, allowInsecureCiphers bool, minTLS, maxTLS uint16)
| 1850 | |
| 1851 | //nolint:revive |
| 1852 | func configureCipherSuites(ctx context.Context, logger slog.Logger, ciphers []string, allowInsecureCiphers bool, minTLS, maxTLS uint16) ([]uint16, error) { |
| 1853 | if minTLS > maxTLS { |
| 1854 | return nil, xerrors.Errorf("minimum tls version (%s) cannot be greater than maximum tls version (%s)", versionName(minTLS), versionName(maxTLS)) |
| 1855 | } |
| 1856 | if minTLS >= tls.VersionTLS13 { |
| 1857 | // The cipher suites config option is ignored for tls 1.3 and higher. |
| 1858 | // So this user flag is a no-op if the min version is 1.3. |
| 1859 | return nil, xerrors.Errorf("'--tls-ciphers' cannot be specified when using minimum tls version 1.3 or higher, %d ciphers found as input.", len(ciphers)) |
| 1860 | } |
| 1861 | // Configure the cipher suites which parses the strings and converts them |
| 1862 | // to golang cipher suites. |
| 1863 | supported, err := parseTLSCipherSuites(ciphers) |
| 1864 | if err != nil { |
| 1865 | return nil, xerrors.Errorf("tls ciphers: %w", err) |
| 1866 | } |
| 1867 | |
| 1868 | // allVersions is all tls versions the server supports. |
| 1869 | // We enumerate these to ensure if ciphers are configured, at least |
| 1870 | // 1 cipher for each version exists. |
| 1871 | allVersions := make(map[uint16]bool) |
| 1872 | for v := minTLS; v <= maxTLS; v++ { |
| 1873 | allVersions[v] = false |
| 1874 | } |
| 1875 | |
| 1876 | var insecure []string |
| 1877 | cipherIDs := make([]uint16, 0, len(supported)) |
| 1878 | for _, cipher := range supported { |
| 1879 | if cipher.Insecure { |
| 1880 | // Always show this warning, even if they have allowInsecureCiphers |
| 1881 | // specified. |
| 1882 | logger.Warn(ctx, "insecure tls cipher specified for server use", slog.F("cipher", cipher.Name)) |
| 1883 | insecure = append(insecure, cipher.Name) |
| 1884 | } |
| 1885 | |
| 1886 | // This is a warning message to tell the user if they are specifying |
| 1887 | // a cipher that does not support the tls versions they have specified. |
| 1888 | // This makes the cipher essentially a "noop" cipher. |
| 1889 | if !hasSupportedVersion(minTLS, maxTLS, cipher.SupportedVersions) { |
| 1890 | versions := make([]string, 0, len(cipher.SupportedVersions)) |
| 1891 | for _, sv := range cipher.SupportedVersions { |
| 1892 | versions = append(versions, versionName(sv)) |
| 1893 | } |
| 1894 | logger.Warn(ctx, "cipher not supported for tls versions enabled, cipher will not be used", |
| 1895 | slog.F("cipher", cipher.Name), |
| 1896 | slog.F("cipher_supported_versions", strings.Join(versions, ",")), |
| 1897 | slog.F("server_min_version", versionName(minTLS)), |
| 1898 | slog.F("server_max_version", versionName(maxTLS)), |
| 1899 | ) |
| 1900 | } |
| 1901 | |
| 1902 | for _, v := range cipher.SupportedVersions { |
| 1903 | allVersions[v] = true |
| 1904 | } |
| 1905 | |
| 1906 | cipherIDs = append(cipherIDs, cipher.ID) |
| 1907 | } |
| 1908 | |
| 1909 | if len(insecure) > 0 && !allowInsecureCiphers { |