From 59e464ca660e9fecc55639d5ef9332ed3dab9e33 Mon Sep 17 00:00:00 2001 From: jvoisin Date: Wed, 18 Jun 2025 16:06:48 +0200 Subject: [PATCH] refactor(http): Don't hardcode TLS configuration - TLS 1.2 is used as MinVersion by default - With regard to CipherSuites, in Go 1.22 RSA key exchange based cipher suites were removed from the default list, and in Go 1.23 3DES cipher suites were removed as well. Ciphers for TLS1.3 aren't configurable. - No need to specify CurveP25, as the servers will likely disable the weird ones like CurveP384 and CurveP521. Removing the explicit specification also enables the post-quantum X25519MLKEM768, wow! I trust the go team to make better choices on the long term than us keeping miniflux up to date with the latest TLS trend. --- internal/http/server/httpd.go | 23 ----------------------- 1 file changed, 23 deletions(-) diff --git a/internal/http/server/httpd.go b/internal/http/server/httpd.go index deacb084..0cc564d6 100644 --- a/internal/http/server/httpd.go +++ b/internal/http/server/httpd.go @@ -4,7 +4,6 @@ package httpd // import "miniflux.app/v2/internal/http/server" import ( - "crypto/tls" "fmt" "log/slog" "net" @@ -98,26 +97,6 @@ func startUnixSocketServer(server *http.Server, socketFile string) { }(socketFile) } -func tlsConfig() *tls.Config { - // See https://blog.cloudflare.com/exposing-go-on-the-internet/ - // And https://wiki.mozilla.org/Security/Server_Side_TLS - return &tls.Config{ - MinVersion: tls.VersionTLS12, - CurvePreferences: []tls.CurveID{ - tls.CurveP256, - tls.X25519, - }, - CipherSuites: []uint16{ - tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, - tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, - tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - }, - } -} - func startAutoCertTLSServer(server *http.Server, certDomain string, store *storage.Storage) { server.Addr = ":https" certManager := autocert.Manager{ @@ -125,7 +104,6 @@ func startAutoCertTLSServer(server *http.Server, certDomain string, store *stora Prompt: autocert.AcceptTOS, HostPolicy: autocert.HostWhitelist(certDomain), } - server.TLSConfig = tlsConfig() server.TLSConfig.GetCertificate = certManager.GetCertificate server.TLSConfig.NextProtos = []string{"h2", "http/1.1", acme.ALPNProto} @@ -148,7 +126,6 @@ func startAutoCertTLSServer(server *http.Server, certDomain string, store *stora } func startTLSServer(server *http.Server, certFile, keyFile string) { - server.TLSConfig = tlsConfig() go func() { slog.Info("Starting TLS server using a certificate", slog.String("listen_address", server.Addr),