more restrictive tls ciphers

2014-12-14 19:37:42 -06:00
parent 304893313a
commit 481a472f8b
4 changed files with 28 additions and 7 deletions
--- a/cmd/keygen.go
+++ b/cmd/keygen.go
@@ -8,7 +8,6 @@ import (
 	"fmt"
 	"log"
 	"os"
-	"strings"

 	"github.com/MDrollette/go-i2p/reseed"
 	"github.com/MDrollette/go-i2p/su3"
@@ -38,7 +37,8 @@ func keygenAction(c *cli.Context) {
 	host := c.String("host")

 	if signerId == "" && host == "" {
-		log.Fatalln("You must specify either a --host or a --signer")
+		fmt.Println("You must specify either --host or --signer")
+		return
 	}

 	if signerId != "" {
@@ -61,7 +61,7 @@ func createSigner(signerId string) {
 	signerCert, err := su3.NewSigningCertificate(signerId, signerKey)

 	// save cert
-	certFile := strings.Replace(signerId, "@", "_at_", 1) + ".crt"
+	certFile := signerFile(signerId) + ".crt"
 	certOut, err := os.Create(certFile)
 	if err != nil {
 		log.Printf("failed to open %s for writing\n", certFile)
@@ -72,7 +72,7 @@ func createSigner(signerId string) {
 	fmt.Println("signing certificate saved to:", certFile)

 	// save signing private key
-	privFile := strings.Replace(signerId, "@", "_at_", 1) + ".pem"
+	privFile := signerFile(signerId) + ".pem"
 	keyOut, err := os.OpenFile(privFile, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
 	if err != nil {
 		log.Printf("failed to open %s for writing\n", privFile)
--- a/cmd/reseeder.go
+++ b/cmd/reseeder.go
@@ -31,10 +31,12 @@ func NewReseedCommand() cli.Command {
 			},
 			cli.StringFlag{
 				Name:  "tlsCert",
+				Value: "tls_cert.pem",
 				Usage: "Path to a TLS certificate",
 			},
 			cli.StringFlag{
 				Name:  "tlsKey",
+				Value: "tls_key.pem",
 				Usage: "Path to a TLS private key",
 			},
 			cli.StringFlag{
@@ -89,11 +91,9 @@ func reseedAction(c *cli.Context) {
 		return
 	}

-	// @todo: prompt to generate a new key
 	signerKey := c.String("key")
 	if signerKey == "" {
-		fmt.Println("--key is required")
-		return
+		signerKey = signerFile(signerId)
 	}

 	reloadIntvl, err := time.ParseDuration(c.String("interval"))
@@ -112,6 +112,7 @@ func reseedAction(c *cli.Context) {
 	log.Printf("Using %d CPU cores.\n", cpus)

 	// load our signing privKey
+	// @todo: prompt to generate a new signing key if this one doesn't exist
 	privKey, err := loadPrivateKey(signerKey)
 	if nil != err {
 		log.Fatalln(err)
--- a/cmd/utils.go
+++ b/cmd/utils.go
@@ -5,6 +5,7 @@ import (
 	"crypto/x509"
 	"encoding/pem"
 	"io/ioutil"
+	"strings"
 )

 func loadPrivateKey(path string) (*rsa.PrivateKey, error) {
@@ -21,3 +22,7 @@ func loadPrivateKey(path string) (*rsa.PrivateKey, error) {

 	return privKey, nil
 }
+
+func signerFile(signerId string) string {
+	return strings.Replace(signerId, "@", "_at_", 1)
+}
--- a/reseed/server.go
+++ b/reseed/server.go
@@ -27,6 +27,21 @@ func NewServer(prefix string, trustProxy bool) *Server {
 	config := &tls.Config{
 		MinVersion:               tls.VersionTLS10,
 		PreferServerCipherSuites: true,
+
+		CipherSuites: []uint16{
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+			tls.TLS_RSA_WITH_AES_128_CBC_SHA,
+			tls.TLS_RSA_WITH_AES_256_CBC_SHA,
+			tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+			tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+			tls.TLS_FALLBACK_SCSV,
+		},
 	}
 	h := &http.Server{TLSConfig: config}
 	server := Server{h, nil}