MCPcopy
hub / github.com/caddyserver/caddy / setDefaultTLSParams

Function setDefaultTLSParams

modules/caddytls/connpolicy.go:931–949  ·  view source on GitHub ↗

setDefaultTLSParams sets the default TLS cipher suites, protocol versions, and server preferences of cfg if they are not already set; it does not overwrite values, only fills in missing values.

(cfg *tls.Config)

Source from the content-addressed store, hash-verified

929// and server preferences of cfg if they are not already set; it does not
930// overwrite values, only fills in missing values.
931func setDefaultTLSParams(cfg *tls.Config) {
932 if len(cfg.CipherSuites) == 0 {
933 cfg.CipherSuites = getOptimalDefaultCipherSuites()
934 }
935
936 // Not a cipher suite, but still important for mitigating protocol downgrade attacks
937 // (prepend since having it at end breaks http2 due to non-h2-approved suites before it)
938 cfg.CipherSuites = append([]uint16{tls.TLS_FALLBACK_SCSV}, cfg.CipherSuites...)
939
940 if len(cfg.CurvePreferences) == 0 {
941 cfg.CurvePreferences = defaultCurves
942 }
943
944 // crypto/tls docs:
945 // "If EncryptedClientHelloKeys is set, MinVersion, if set, must be VersionTLS13."
946 if cfg.EncryptedClientHelloKeys != nil && cfg.MinVersion != 0 && cfg.MinVersion < tls.VersionTLS13 {
947 cfg.MinVersion = tls.VersionTLS13
948 }
949}
950
951// LeafCertClientAuth verifies the client's leaf certificate.
952type LeafCertClientAuth struct {

Callers 1

Calls 1

Tested by

no test coverage detected