oss/miniflux-v2
oss/miniflux-v2
1
0
Fork 0
mirror of https://github.com/miniflux/v2.git synced 2025-06-27 16:36:00 +00:00
Code Wiki Activity

refactor(http): Don't hardcode TLS configuration

Browse source 
- TLS 1.2 is used as MinVersion by default
- With regard to CipherSuites, in Go 1.22 RSA key exchange based cipher suites
  were removed from the default list, and in Go 1.23 3DES cipher suites were
  removed as well. Ciphers for TLS1.3 aren't configurable.
- No need to specify CurveP25, as the servers will likely disable the weird
  ones like CurveP384 and CurveP521. Removing the explicit specification also
  enables the post-quantum X25519MLKEM768, wow!

I trust the go team to make better choices on the long term than us keeping
miniflux up to date with the latest TLS trend.
This commit is contained in:
jvoisin 2025-06-18 16:06:48 +02:00 committed by Frédéric Guillot
parent 1af6df7cb9
commit 3ab9ca9e4d
1 changed files with 0 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

23
internal/http/server/httpd.go
View file

@ -4,7 +4,6 @@
package httpd // import "miniflux.app/v2/internal/http/server" package httpd // import "miniflux.app/v2/internal/http/server"
import ( import (
"crypto/tls"
"fmt" "fmt"
"log/slog" "log/slog"
"net" "net"
@ -98,26 +97,6 @@ func startUnixSocketServer(server *http.Server, socketFile string) {
}(socketFile) }(socketFile)
} }
func tlsConfig() *tls.Config {
// See https://blog.cloudflare.com/exposing-go-on-the-internet/
// And https://wiki.mozilla.org/Security/Server_Side_TLS
return &tls.Config{
MinVersion: tls.VersionTLS12,
CurvePreferences: []tls.CurveID{
tls.CurveP256,
tls.X25519,
},
CipherSuites: []uint16{
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
},
}
}
func startAutoCertTLSServer(server *http.Server, certDomain string, store *storage.Storage) { func startAutoCertTLSServer(server *http.Server, certDomain string, store *storage.Storage) {
server.Addr = ":https" server.Addr = ":https"
certManager := autocert.Manager{ certManager := autocert.Manager{
@ -125,7 +104,6 @@ func startAutoCertTLSServer(server *http.Server, certDomain string, store *stora
Prompt: autocert.AcceptTOS, Prompt: autocert.AcceptTOS,
HostPolicy: autocert.HostWhitelist(certDomain), HostPolicy: autocert.HostWhitelist(certDomain),
} }
server.TLSConfig = tlsConfig()
server.TLSConfig.GetCertificate = certManager.GetCertificate server.TLSConfig.GetCertificate = certManager.GetCertificate
server.TLSConfig.NextProtos = []string{"h2", "http/1.1", acme.ALPNProto} server.TLSConfig.NextProtos = []string{"h2", "http/1.1", acme.ALPNProto}
@ -148,7 +126,6 @@ func startAutoCertTLSServer(server *http.Server, certDomain string, store *stora
} }
func startTLSServer(server *http.Server, certFile, keyFile string) { func startTLSServer(server *http.Server, certFile, keyFile string) {
server.TLSConfig = tlsConfig()
go func() { go func() {
slog.Info("Starting TLS server using a certificate", slog.Info("Starting TLS server using a certificate",
slog.String("listen_address", server.Addr), slog.String("listen_address", server.Addr),