enabling TLS 1.3 only

2019-04-21 13:10:18 +02:00
parent b4dba17dcf
commit 7267f1d718
3 changed files with 26 additions and 11 deletions
--- a/history.txt
+++ b/history.txt
@ -1,3 +1,7 @@
+2019-04-21
+ * app.Version = "0.1.7"
+ * enabling TLS 1.3 *only*
+
 2016-12-21
 * deactivating previous random time delta, makes only sense when patching ri too
 * app.Version = "0.1.6"
@ -27,4 +31,4 @@
 * numRi per su3 file: 75 --> 77

 2016-01
- * fork from https://github.com/MDrollette/i2p-tools
+ * fork from https://github.com/MDrollette/i2p-tools
--- a/main.go
+++ b/main.go
@ -9,12 +9,17 @@ import (
 )

 func main() {
+	// TLS 1.3 is available only on an opt-in basis in Go 1.12. 
+	// To enable it, set the GODEBUG environment variable (comma-separated key=value options) such that it includes "tls13=1". 
+	// To enable it from within the process, set the environment variable before any use of TLS: 
+	os.Setenv("GODEBUG", os.Getenv("GODEBUG")+",tls13=1")
+
 	// use at most half the cpu cores
 	runtime.GOMAXPROCS(runtime.NumCPU() / 2)

 	app := cli.NewApp()
 	app.Name = "i2p-tools"
-	app.Version = "0.1.6"
+	app.Version = "0.1.7"
 	app.Usage = "I2P tools and reseed server"
 	app.Author = "martin61"
 	app.Email = "noemail"
--- a/reseed/server.go
+++ b/reseed/server.go
@ -70,17 +70,23 @@ func (srv *Server) ListenAndServeTLS(certFile, keyFile string) error {

 func NewServer(prefix string, trustProxy bool) *Server {
 	config := &tls.Config{
-		MinVersion:               tls.VersionTLS10,
+//		MinVersion:               tls.VersionTLS10,
+//		PreferServerCipherSuites: true,
+//		CipherSuites: []uint16{
+//			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+//			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+//			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+//			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+//			tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+//			tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+//			tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+//			tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+//		},
+		MinVersion:               tls.VersionTLS13,
 		PreferServerCipherSuites: true,
 		CipherSuites: []uint16{
-			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-			tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
-			tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
-			tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
-			tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+			tls.TLS_AES_256_GCM_SHA384,
+			tls.TLS_CHACHA20_POLY1305_SHA256,
 		},
 		CurvePreferences: []tls.CurveID{tls.CurveP384, tls.CurveP521},		// default CurveP256 removed
 	}