Updating TLS cipher config parser to include TLS 1.3 constants. Fixes #…

…903 minor update to build script bump go version in github action refactor to not hardcode TLS cipher suite constant name conversion, instead call tls.CipherSuites() and tls.InsecureCipherSuites() to populate the map.
fabiolb · Sep 13, 2022 · 5910520 · 5910520
1 parent 555ec69
commit 5910520
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 29 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -5,7 +5,7 @@ jobs:
     strategy:
       matrix:
         os: [ ubuntu-latest ]
-        go: [ '1.18.4', '1.17.12' ]
+        go: [ '1.19.1', '1.18.6' ]
     runs-on: ${{matrix.os}}
     steps:
       - name: Install Go

diff --git a/build/tag.sh b/build/tag.sh
@@ -9,7 +9,7 @@ v=$1
 
 [[ -n "$v" ]] || read -p "Enter version (e.g. 1.0.4): " v
 if [[ -z "$v" ]]; then
-	echo "Usage: $0 <version> (e.g. 1.0.4)"
+	echo "Usage: $0 <version> <remote>"
 	exit 1
 fi
 
@@ -25,3 +25,14 @@ sed -i '' -e "s|^var version .*$|var version = \"$v\"|" $basedir/main.go
 git add $basedir/main.go
 git commit -S -m "Release v$v" || true
 git tag -s v$v -m "Tag v${v}"
+
+remote=$2
+
+[[ -n "$origin" ]] || read -p "Enter remote (e.g. origin): " origin
+
+if [[ -z "$origin" ]]; then
+	echo "Usage: $0 <version> <remote>"
+	exit 1
+fi
+
+git push $remote $version
diff --git a/config/load.go b/config/load.go
@@ -17,9 +17,21 @@ import (
 	"github.com/magiconair/properties"
 )
 
+var tlsciphers map[string]uint16
+
+func loadCiphers() {
+	tlsciphers = make(map[string]uint16)
+	for _, c := range tls.CipherSuites() {
+		tlsciphers[c.Name] = c.ID
+	}
+	for _, c := range tls.InsecureCipherSuites() {
+		tlsciphers[c.Name] = c.ID
+	}
+}
+
 func Load(args, environ []string) (cfg *Config, err error) {
 	var props *properties.Properties
-
+	loadCiphers()
 	cmdline, path, version, err := parse(args)
 	switch {
 	case err != nil:
@@ -505,31 +517,6 @@ var tlsver = map[string]uint16{
 	"tls13": tls.VersionTLS13,
 }
 
-var tlsciphers = map[string]uint16{
-	"TLS_RSA_WITH_RC4_128_SHA":                0x0005,
-	"TLS_RSA_WITH_3DES_EDE_CBC_SHA":           0x000a,
-	"TLS_RSA_WITH_AES_128_CBC_SHA":            0x002f,
-	"TLS_RSA_WITH_AES_256_CBC_SHA":            0x0035,
-	"TLS_RSA_WITH_AES_128_CBC_SHA256":         0x003c,
-	"TLS_RSA_WITH_AES_128_GCM_SHA256":         0x009c,
-	"TLS_RSA_WITH_AES_256_GCM_SHA384":         0x009d,
-	"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA":        0xc007,
-	"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA":    0xc009,
-	"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA":    0xc00a,
-	"TLS_ECDHE_RSA_WITH_RC4_128_SHA":          0xc011,
-	"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA":     0xc012,
-	"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA":      0xc013,
-	"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA":      0xc014,
-	"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256": 0xc023,
-	"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256":   0xc027,
-	"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256":   0xc02f,
-	"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256": 0xc02b,
-	"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384":   0xc030,
-	"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384": 0xc02c,
-	"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305":    0xcca8,
-	"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305":  0xcca9,
-}
-
 func parseTLSVersion(s string) (uint16, error) {
 	s = strings.ToLower(strings.TrimSpace(s))
 	if n, ok := tlsver[s]; ok {

diff --git a/proxy/http_proxy.go b/proxy/http_proxy.go
@@ -193,7 +193,7 @@ func (p *HTTPProxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	trace.InjectHeaders(span, r)
 
 	upgrade, accept := r.Header.Get("Upgrade"), r.Header.Get("Accept")
-	
+
 	tr := p.Transport
 	if t.Transport != nil {
 		tr = t.Transport