github.com/aporeto-inc/trireme-lib@v10.358.0+incompatible/controller/internal/enforcer/applicationproxy/tlshelper/tlshelper.go

github.com/aporeto-inc/trireme-lib@v10.358.0+incompatible/controller/internal/enforcer/applicationproxy/tlshelper/tlshelper.go (about)

     1  package tlshelper
     2  
     3  import "crypto/tls"
     4  
     5  // The intent of this file is to provide secure base TLS configurations across all our proxies.
     6  
     7  // TODO: This configuration can become limiting but thats what we support.
     8  //   Feature: Users might want to add additional configs or alternatively
     9  //            if the service is exposed, auto-discover them from the certificate
    10  //            provided.
    11  
    12  // NewBaseTLSClientConfig provides the generic base config to be used on a client.
    13  func NewBaseTLSClientConfig() *tls.Config {
    14  
    15  	return &tls.Config{
    16  		PreferServerCipherSuites: true,
    17  		SessionTicketsDisabled:   true,
    18  		// for now lets make it TLS1.2 as supported max Version.
    19  		// TODO: Need to test before enabling TLS 1.3, currently TLS 1.3 doesn't work with envoy.
    20  		MaxVersion: tls.VersionTLS12,
    21  	}
    22  }
    23  
    24  // NewBaseTLSServerConfig provides the generic base config to be used on a server.
    25  func NewBaseTLSServerConfig() *tls.Config {
    26  	return &tls.Config{
    27  		PreferServerCipherSuites: true,
    28  		SessionTicketsDisabled:   true,
    29  		ClientAuth:               tls.VerifyClientCertIfGiven,
    30  		CipherSuites: []uint16{
    31  			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
    32  			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
    33  			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
    34  			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
    35  			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
    36  		},
    37  	}
    38  }