From 3ab9ca9e4dd73cd47c5a50163aa778949f99eb6c Mon Sep 17 00:00:00 2001 From: jvoisin Date: Wed, 18 Jun 2025 16:06:48 +0200 Subject: [PATCH] refactor(http): Don't hardcode TLS configuration - TLS 1.2 is used as MinVersion by default - With regard to CipherSuites, in Go 1.22 RSA key exchange based cipher suites were removed from the default list, and in Go 1.23 3DES cipher suites were removed as well. Ciphers for TLS1.3 aren't configurable. - No need to specify CurveP25, as the servers will likely disable the weird ones like CurveP384 and CurveP521. Removing the explicit specification also enables the post-quantum X25519MLKEM768, wow! I trust the go team to make better choices on the long term than us keeping miniflux up to date with the latest TLS trend. --- internal/http/server/httpd.go | 23 ----------------------- 1 file changed, 23 deletions(-) diff --git a/internal/http/server/httpd.go b/internal/http/server/httpd.go index deacb084..0cc564d6 100644 --- a/internal/http/server/httpd.go +++ b/internal/http/server/httpd.go @@ -4,7 +4,6 @@ package httpd // import "miniflux.app/v2/internal/http/server" import ( - "crypto/tls" "fmt" "log/slog" "net" @@ -98,26 +97,6 @@ func startUnixSocketServer(server *http.Server, socketFile string) { }(socketFile) } -func tlsConfig() *tls.Config { - // See https://blog.cloudflare.com/exposing-go-on-the-internet/ - // And https://wiki.mozilla.org/Security/Server_Side_TLS - return &tls.Config{ - MinVersion: tls.VersionTLS12, - CurvePreferences: []tls.CurveID{ - tls.CurveP256, - tls.X25519, - }, - CipherSuites: []uint16{ - tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, - tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, - tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - }, - } -} - func startAutoCertTLSServer(server *http.Server, certDomain string, store *storage.Storage) { server.Addr = ":https" certManager := autocert.Manager{ @@ -125,7 +104,6 @@ func startAutoCertTLSServer(server *http.Server, certDomain string, store *stora Prompt: autocert.AcceptTOS, HostPolicy: autocert.HostWhitelist(certDomain), } - server.TLSConfig = tlsConfig() server.TLSConfig.GetCertificate = certManager.GetCertificate server.TLSConfig.NextProtos = []string{"h2", "http/1.1", acme.ALPNProto} @@ -148,7 +126,6 @@ func startAutoCertTLSServer(server *http.Server, certDomain string, store *stora } func startTLSServer(server *http.Server, certFile, keyFile string) { - server.TLSConfig = tlsConfig() go func() { slog.Info("Starting TLS server using a certificate", slog.String("listen_address", server.Addr),