setDefaultTLSParams sets the default TLS cipher suites, protocol versions, and server preferences of cfg if they are not already set; it does not overwrite values, only fills in missing values.
(cfg *tls.Config)
| 929 | // and server preferences of cfg if they are not already set; it does not |
| 930 | // overwrite values, only fills in missing values. |
| 931 | func setDefaultTLSParams(cfg *tls.Config) { |
| 932 | if len(cfg.CipherSuites) == 0 { |
| 933 | cfg.CipherSuites = getOptimalDefaultCipherSuites() |
| 934 | } |
| 935 | |
| 936 | // Not a cipher suite, but still important for mitigating protocol downgrade attacks |
| 937 | // (prepend since having it at end breaks http2 due to non-h2-approved suites before it) |
| 938 | cfg.CipherSuites = append([]uint16{tls.TLS_FALLBACK_SCSV}, cfg.CipherSuites...) |
| 939 | |
| 940 | if len(cfg.CurvePreferences) == 0 { |
| 941 | cfg.CurvePreferences = defaultCurves |
| 942 | } |
| 943 | |
| 944 | // crypto/tls docs: |
| 945 | // "If EncryptedClientHelloKeys is set, MinVersion, if set, must be VersionTLS13." |
| 946 | if cfg.EncryptedClientHelloKeys != nil && cfg.MinVersion != 0 && cfg.MinVersion < tls.VersionTLS13 { |
| 947 | cfg.MinVersion = tls.VersionTLS13 |
| 948 | } |
| 949 | } |
| 950 | |
| 951 | // LeafCertClientAuth verifies the client's leaf certificate. |
| 952 | type LeafCertClientAuth struct { |
no test coverage detected