github.com/coreos/goproxy@v0.0.0-20190513173959-f8dc2d7ba04e/certs.go

github.com/coreos/goproxy@v0.0.0-20190513173959-f8dc2d7ba04e/certs.go (about)

     1  package goproxy
     2  
     3  import (
     4  	"crypto/tls"
     5  	"crypto/x509"
     6  )
     7  
     8  func init() {
     9  	if goproxyCaErr != nil {
    10  		panic("Error parsing builtin CA " + goproxyCaErr.Error())
    11  	}
    12  	var err error
    13  	if GoproxyCa.Leaf, err = x509.ParseCertificate(GoproxyCa.Certificate[0]); err != nil {
    14  		panic("Error parsing builtin CA " + err.Error())
    15  	}
    16  }
    17  
    18  var tlsClientSkipVerify = &tls.Config{
    19  	InsecureSkipVerify: true,
    20  
    21  	// This is Go's default list of cipher suites (as of go 1.8.3),
    22  	// with the following differences:
    23  	//
    24  	// - 3DES-based cipher suites have been removed. This cipher is
    25  	//   vulnerable to the Sweet32 attack and is sometimes reported by
    26  	//   security scanners. (This is arguably a false positive since
    27  	//   it will never be selected: Any TLS1.2 implementation MUST
    28  	//   include at least one cipher higher in the priority list, but
    29  	//   there's also no reason to keep it around)
    30  	// - AES is always prioritized over ChaCha20. Go makes this decision
    31  	//   by default based on the presence or absence of hardware AES
    32  	//   acceleration.
    33  	//   TODO(bdarnell): do the same detection here. See
    34  	//   https://github.com/golang/go/issues/21167
    35  	//
    36  	// Note that some TLS cipher suite guidance (such as Mozilla's[1])
    37  	// recommend replacing the CBC_SHA suites below with CBC_SHA384 or
    38  	// CBC_SHA256 variants. We do not do this because Go does not
    39  	// currerntly implement the CBC_SHA384 suites, and its CBC_SHA256
    40  	// implementation is vulnerable to the Lucky13 attack and is disabled
    41  	// by default.[2]
    42  	//
    43  	// [1]: https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
    44  	// [2]: https://github.com/golang/go/commit/48d8edb5b21db190f717e035b4d9ab61a077f9d7
    45  	PreferServerCipherSuites: true,
    46  	CipherSuites: []uint16{
    47  		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
    48  		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
    49  		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
    50  		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
    51  		tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
    52  		tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
    53  		tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
    54  		tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
    55  		tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
    56  		tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
    57  		tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
    58  		tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
    59  		tls.TLS_RSA_WITH_AES_128_CBC_SHA,
    60  		tls.TLS_RSA_WITH_AES_256_CBC_SHA,
    61  	},
    62  
    63  	MinVersion: tls.VersionTLS12,
    64  }
    65  
    66  var defaultTLSConfig = &tls.Config{
    67  	InsecureSkipVerify: true,
    68  
    69  	// This is Go's default list of cipher suites (as of go 1.8.3),
    70  	// with the following differences:
    71  	//
    72  	// - 3DES-based cipher suites have been removed. This cipher is
    73  	//   vulnerable to the Sweet32 attack and is sometimes reported by
    74  	//   security scanners. (This is arguably a false positive since
    75  	//   it will never be selected: Any TLS1.2 implementation MUST
    76  	//   include at least one cipher higher in the priority list, but
    77  	//   there's also no reason to keep it around)
    78  	// - AES is always prioritized over ChaCha20. Go makes this decision
    79  	//   by default based on the presence or absence of hardware AES
    80  	//   acceleration.
    81  	//   TODO(bdarnell): do the same detection here. See
    82  	//   https://github.com/golang/go/issues/21167
    83  	//
    84  	// Note that some TLS cipher suite guidance (such as Mozilla's[1])
    85  	// recommend replacing the CBC_SHA suites below with CBC_SHA384 or
    86  	// CBC_SHA256 variants. We do not do this because Go does not
    87  	// currerntly implement the CBC_SHA384 suites, and its CBC_SHA256
    88  	// implementation is vulnerable to the Lucky13 attack and is disabled
    89  	// by default.[2]
    90  	//
    91  	// [1]: https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
    92  	// [2]: https://github.com/golang/go/commit/48d8edb5b21db190f717e035b4d9ab61a077f9d7
    93  	PreferServerCipherSuites: true,
    94  	CipherSuites: []uint16{
    95  		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
    96  		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
    97  		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
    98  		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
    99  		tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
   100  		tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
   101  		tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
   102  		tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
   103  		tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
   104  		tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
   105  		tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
   106  		tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
   107  		tls.TLS_RSA_WITH_AES_128_CBC_SHA,
   108  		tls.TLS_RSA_WITH_AES_256_CBC_SHA,
   109  	},
   110  
   111  	MinVersion: tls.VersionTLS12,
   112  }
   113  
   114  var CA_CERT = []byte(`-----BEGIN CERTIFICATE-----
   115  MIIF8jCCA9qgAwIBAgIUAp68XvvuMwaTCeQQjGxHEZhJcPgwDQYJKoZIhvcNAQEN
   116  BQAwgZAxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZy
   117  YW5jaXNjbzEUMBIGA1UEChMLQ29yZU9TLCBJbmMxIjAgBgNVBAsTGWdpdGh1Yi5j
   118  b20vY29yZW9zL2dvcHJveHkxIjAgBgNVBAMTGWdpdGh1Yi5jb20vY29yZW9zL2dv
   119  cHJveHkwHhcNMTcwMjIyMjI0NjAwWhcNMjIwMjIxMjI0NjAwWjCBkDELMAkGA1UE
   120  BhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRQwEgYD
   121  VQQKEwtDb3JlT1MsIEluYzEiMCAGA1UECxMZZ2l0aHViLmNvbS9jb3Jlb3MvZ29w
   122  cm94eTEiMCAGA1UEAxMZZ2l0aHViLmNvbS9jb3Jlb3MvZ29wcm94eTCCAiIwDQYJ
   123  KoZIhvcNAQEBBQADggIPADCCAgoCggIBANghh+Y4gUYyIY1YzAgHBuLjTt13z5ED
   124  tbjksaK8kUMofaYCnQRrepTORB3xpxn9cIXpmmPND/c3pUZz+sSbidZF+Rfkz+G4
   125  oo5I04X7R2iFrw9jECcavr7qGqOt+vhep9iqVaioSWTKZoXY9FOxTpEUfdKyLE8K
   126  7rd6PfdjkbZ2ZqoKdRHARBE6QlTJv+elIRM6kzshx0oSdZfaUvLdmXFqHdfKz8gb
   127  FABaa8Aca6r76wHRnhK3+RQ2p+Wfz45/ZMxqQVIMr2mbiCCL4lSUPkUrid6L5DoA
   128  4A4pLqY+Y0cX2qIF+lmgUwUPvunqM7dA9toHjwBgeB1yF+jVOhFOizB/dXSCsBA2
   129  D47raP3REIxE6N05pEpGZqUPatcdyakP1Dan9aVO2W3o7P/LGPBdB5AiwVxRiVPx
   130  dNrz+UcE3dCPBrc9bxJLjyD7PtgPTrZ+hzR/kBfBW/+jvBRKIB5NCNSuQEUN99it
   131  P1fIencEz1ghaWhCAU5tQutnVBu8d0YlgjfnaD4vCJYEprifAiIpgZH3HaiHfG14
   132  UXFbdU0MmuIrie2PMAGmtnjhWHG0vc8f2THRklq/CtbfNWtPzUfYv+rpaOFw7bj+
   133  km0n3kVuGzWZhXPixe63TATR5lK9p21CZPXS+2mW/8uswBiJ4aT5lUZmCf/i1xyn
   134  Gzgv9so56vjFAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTAD
   135  AQH/MB0GA1UdDgQWBBSYLcfHmyPv3jmdTyBs/lu5PZLxPTANBgkqhkiG9w0BAQ0F
   136  AAOCAgEAppb+3MhGcL/IjqyRIWCc587eVMMtuHwGlczpMfXnf8TU0MPrvOdTPrqg
   137  a+AEc1W8O6IGrowmgbZVgfr7Pw0BL4VcSdAEbP7QcbPmRAudF+/xdm5vylJmB339
   138  4Yq5v1G2Ya5AN5PAHx3WVOA7s/caz30DGrsAoNhezlrk8WJRRxrQUauNveXyxNya
   139  urBrqjqNVUWAlv2fRHuNXsxMvG32MWQ1BoPa9Ix+dUWYeeWkxS5E9oNo99TRRTHB
   140  WX4SpsIynmhE+pFEzu2HVP2k5GE5+i78F9/N0cgI5QMSzgYxSebyPEflL1ziqWoq
   141  4xio69OM0Cq+GCxvOZmvKaNlOjwJa6NWa8IyumNFclTLNzMlBaDkVE9Tb5VEBphO
   142  ODzSxFMuAfXba4UlRjG9+BLg8ayzu2t9amB+B5/3/1+gkx1TE26jZNwleU6MnpFv
   143  umPqPa9AW2ZPobCTGjV3MwOIKFyO/cPt4fI6BpKF7jYhUYzsht/BZqQZU/rWY6h8
   144  GSEH8LcJk+Paaw03HzZWSbMp2oXNTz/BpQjuAdWAkeS3yhx5gvHIysWHvPRT017b
   145  Tx+Va9+T4DElT0HtmR/w27bXNL9Urj38ETSlbYoilL7ZKltj8djXmqkI1ZF8T1zk
   146  tj1zk0XYkestBgfrk9XYwvvL7DLyRPPZTAiVq/o5xn5zWp/y40M=
   147  -----END CERTIFICATE-----`)
   148  
   149  var CA_KEY = []byte(`-----BEGIN RSA PRIVATE KEY-----
   150  MIIJKQIBAAKCAgEA2CGH5jiBRjIhjVjMCAcG4uNO3XfPkQO1uOSxoryRQyh9pgKd
   151  BGt6lM5EHfGnGf1whemaY80P9zelRnP6xJuJ1kX5F+TP4biijkjThftHaIWvD2MQ
   152  Jxq+vuoao636+F6n2KpVqKhJZMpmhdj0U7FOkRR90rIsTwrut3o992ORtnZmqgp1
   153  EcBEETpCVMm/56UhEzqTOyHHShJ1l9pS8t2ZcWod18rPyBsUAFprwBxrqvvrAdGe
   154  Erf5FDan5Z/Pjn9kzGpBUgyvaZuIIIviVJQ+RSuJ3ovkOgDgDikupj5jRxfaogX6
   155  WaBTBQ++6eozt0D22gePAGB4HXIX6NU6EU6LMH91dIKwEDYPjuto/dEQjETo3Tmk
   156  SkZmpQ9q1x3JqQ/UNqf1pU7Zbejs/8sY8F0HkCLBXFGJU/F02vP5RwTd0I8Gtz1v
   157  EkuPIPs+2A9Otn6HNH+QF8Fb/6O8FEogHk0I1K5ARQ332K0/V8h6dwTPWCFpaEIB
   158  Tm1C62dUG7x3RiWCN+doPi8IlgSmuJ8CIimBkfcdqId8bXhRcVt1TQya4iuJ7Y8w
   159  Aaa2eOFYcbS9zx/ZMdGSWr8K1t81a0/NR9i/6ulo4XDtuP6SbSfeRW4bNZmFc+LF
   160  7rdMBNHmUr2nbUJk9dL7aZb/y6zAGInhpPmVRmYJ/+LXHKcbOC/2yjnq+MUCAwEA
   161  AQKCAgBDt83SzmWCzvZASVA0O69mq33sWjvI3fa0JcOaj6ab+jXULAFyfxJ7SV2C
   162  XFLVC9mTu6vKFVgpR2AbgP9TVsCLSIVRfTm9KZKVLjBITIEFOM2u7oUDG5gkTUln
   163  e32lEFNayZPpMkE8uUYCLgXvqyBIyLjbqUPEyFIfXsfHmYTwPIzSPlCL7UfmdfCO
   164  jF/6fnysf6/d2SmOBdaea6ONwOzw4iTTlhIgSouryKj2GnGJs0Dg4wK6LrZ2JOHa
   165  SoZHyZaVjb1Frf/QARFX0Txq77/LAGdEOWSa3+dTyId7QxTsE4dHOMRGDLu2XEaf
   166  F+h4RHyTt8aQgalg4HypURXOkmN9jSodE8wBlj+oA5AOTFknqu2RMH+UX82uC4gs
   167  ccVDvd553SJyUtpSkvLvYv2Lu+o4w+uDsYZhdt12MDucnTwAzUqOWt2OSuX5LwZO
   168  Qi0xTmj5YnOju9MayfSuh14YRvxsVDK0XTZGm1FVlLtm6iitdSWCXZjGgKHEmNCk
   169  spd8sxdROxUID79tp4SVuAHzLZ3OTUrMVRvUksFRIiOX4vwcupvS8OVnRFC0yTpB
   170  d+V126XI5qISP0nAEvYOuI3GF3RiEiJ6P9PL15on3YY4AzmaAC8OimlFc7Gv2Vkt
   171  L7EvT83u/vT00H4xt85YMUksLupQXKSRnm7aTpHdW59zNO7AQQKCAQEA7QtGuzTt
   172  hG17hOBJ/VK9PE1Jy7aQ+SBZiY+92KgE9xAYoyPsFb/o0gLd11achsPUpTlku08n
   173  sgaW33wxFvTPL3Qf0TAwXxvavA/2JNboDy7iQbP7SBsNg0DaBU77bBpZo3/DBqK8
   174  vQPHN+CjiXLYqKFKk4FCX9umN6h1TClFmAQF9VS6pPjZJum3ECgHpvQJQlf4IX/l
   175  B9rV0wgfy1rnRgSC7eFSYaRiGv8uu1N9EHWQNa3R/a/2lADDTnwWcDsyE1Lu9WoT
   176  fv4LcOoYAvvNCSzkDwffvQcpJKluMcpZWOO6RqODdS4rv6nIS/Tyucj9jT0+6DGh
   177  raH80VDS0i+5aQKCAQEA6WogPbSqodvx5gwCCnQ6P/inbQV5rWU9hQfBmhYHGLan
   178  9cFMcZFWDDLvvEsuvdReFbnwsSfCT8BJWE/xsHbn39ep7mdPunqN3tfyF5sYRS18
   179  nLJrOQM50xePMbwFd7mnSuUauiDGPpOr0TF7C6kzUyTT3Mnzcxta5Yzpi9rQkm4C
   180  PcxctPrM6Xq3JZVrehZ/t1Ok+srEpfLbOMcDu22DejjfvMF0enSKZVEGTq3Ls1Yc
   181  LjhAoOP/YL9LcQqYmIkw8Cj9/5DEGaX97of+UxdDvRb5x4bn1/6/qaJxfSXSy+Rv
   182  n/E4+HccWRoA9KA0YUdLVBAsO9f2h+u7HUK3vkdc/QKCAQEA21in5uufLf+xYM+7
   183  J7K8cWSDeQJDPIR21hgw8J7pmUVHxw6ik6213z/P0EfRJ9Nmnk1xrPIeJVp7ment
   184  8vQuFBc8qfIRkLDRw1xxxL0ol4Qm0e2eBKcj5eTI2kiv1uS7NdQvv6AvTiiE3Gv+
   185  aF3hpok53SyrItC6Cp7Ti9pVD8oJSW9SFv4+0wdJ4qVoD1Gaj82fSkByysXxPwox
   186  gZdokx3xmfX6qWfXcGvZ7nXfMK/Y9hMWUc3WOjZKhAHHMatVNxRzEp1J1SV3qNC1
   187  z2z52he0IUSEAQLzS32M/n3kF6EC6gK8zl4fFYgiVEchpFEcbunRoELs/SL8MyS7
   188  MMwAoQKCAQAH+0II+iGPkVbPN//l3Z2UTGtlNfe4LysQXniHTVOGy9AofiigBYk8
   189  t40tEiESCq4A7i/Fzwc89OVNKMap8xbwt44vAcdfKAur4BR+LCaDTw/gx9UUyQB0
   190  MG0MFVLWijmnPPhR/wboYuJQL/H2Lx37LNo1xY4WlIviJ5Rg3OWe7DYVaOSOp7jU
   191  DwcuONLJBPXvDeQpUz+wMQLACUYeZZtGVaWI7dCO02dcGY4uqJC7nCkwh2nmVoWI
   192  CGKLBgK7zI0o2S3+TDP4cI2jV3Eh5DzDvYJjCUDqSOLC6TQaRG3V3QTYIkaBcIk+
   193  nr4Dn2rLHMX9pOPuU+8xLKVkVcC0t/n9AoIBAQDUPPjFkg80Cl63TZLpToB7K9Ki
   194  hmoVDqgG2E+91E3cDK2+/8knaPB57A3a34qqp06YjUaKr5v6dwuKgTK4ubUxtw4d
   195  iTIly2KJQX9U7kFira68irP+q+h6sbi0JfK9+lv5ITmJCBsy1MY4U7rLWnn3P+VS
   196  UtLGOP4gEn4ZtNFBrFJmP+AySvtTNhM+CF8Hi9p4i7tAkIzZ9kpMiQKU70LizCV9
   197  2FrsKJw2g4JaU97IFIquM/c6NG4cH+D9eP4YL3G+uodmdERvXJ5muFGUMaXMn/TC
   198  +dyEZ2Dlz6DiGF63r7qGCi4nxyI3HfY3+hNA6X3NuucN8nVnD/S7kuzLWKhZ
   199  -----END RSA PRIVATE KEY-----`)
   200  
   201  var GoproxyCa, goproxyCaErr = tls.X509KeyPair(CA_CERT, CA_KEY)