tls: Use IANA-standard cipher suite names

2024-11-25 09:05:44 +08:00 · 2019-07-18 09:52:43 -06:00 · 2019-07-18 09:52:43 -06:00 · 28df6cedfe
commit 28df6cedfe
parent dd6aa91d72
3 changed files with 34 additions and 27 deletions
--- a/modules.go
+++ b/modules.go
@ -86,7 +86,7 @@ func GetModules(scope string) []Module {
 	// handle the special case of an empty scope, which
 	// should match only the top-level modules
-	if len(scopeParts) == 1 && scopeParts[0] == "" {
+	if scope == "" {
 		scopeParts = []string{}
 	}
--- a/modules/caddytls/acmemanager.go
+++ b/modules/caddytls/acmemanager.go
@ -202,14 +202,5 @@ func onDemandAskRequest(ask string, name string) error {
 	return nil
 }
 // supportedCertKeyTypes is all the key types that are supported
 // for certificates that are obtained through ACME.
 var supportedCertKeyTypes = map[string]certcrypto.KeyType{
 	"RSA2048": certcrypto.RSA2048,
 	"RSA4096": certcrypto.RSA4096,
 	"P256":    certcrypto.EC256,
 	"P384":    certcrypto.EC384,
 }
 // Interface guard
 var _ managerMaker = (*ACMEManagerMaker)(nil)
--- a/modules/caddytls/values.go
+++ b/modules/caddytls/values.go
@ -18,28 +18,35 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"github.com/go-acme/lego/certcrypto"
 	"github.com/klauspost/cpuid"
 )
 // supportedCipherSuites is the unordered map of cipher suite
-// string names to their definition in crypto/tls.
+// string names to their definition in crypto/tls. All values
-// TODO: might not be needed much longer, see:
+// should be IANA-reserved names. See
-// https://github.com/golang/go/issues/30325
+// https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml
 // TODO: might not be needed much longer: https://github.com/golang/go/issues/30325
 var supportedCipherSuites = map[string]uint16{
-	"ECDHE_ECDSA_AES256_GCM_SHA384":      tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+	"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384":       tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-	"ECDHE_RSA_AES256_GCM_SHA384":        tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+	"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384":         tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-	"ECDHE_ECDSA_AES128_GCM_SHA256":      tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+	"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256":       tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-	"ECDHE_RSA_AES128_GCM_SHA256":        tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+	"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256":         tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-	"ECDHE_ECDSA_WITH_CHACHA20_POLY1305": tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+	"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256": tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
-	"ECDHE_RSA_WITH_CHACHA20_POLY1305":   tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+	"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256":   tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
-	"ECDHE_RSA_AES256_CBC_SHA":           tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+	"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA":            tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
-	"ECDHE_RSA_AES128_CBC_SHA":           tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+	"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256":         tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
-	"ECDHE_ECDSA_AES256_CBC_SHA":         tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+	"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA":            tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
-	"ECDHE_ECDSA_AES128_CBC_SHA":         tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+	"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA":          tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
-	"RSA_AES256_CBC_SHA":                 tls.TLS_RSA_WITH_AES_256_CBC_SHA,
+	"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256":       tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
-	"RSA_AES128_CBC_SHA":                 tls.TLS_RSA_WITH_AES_128_CBC_SHA,
+	"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA":          tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
-	"ECDHE_RSA_3DES_EDE_CBC_SHA":         tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+	"TLS_RSA_WITH_AES_128_GCM_SHA256":               tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
-	"RSA_3DES_EDE_CBC_SHA":               tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+	"TLS_RSA_WITH_AES_256_GCM_SHA384":               tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
 	"TLS_RSA_WITH_AES_256_CBC_SHA":                  tls.TLS_RSA_WITH_AES_256_CBC_SHA,
 	"TLS_RSA_WITH_AES_128_CBC_SHA256":               tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
 	"TLS_RSA_WITH_AES_128_CBC_SHA":                  tls.TLS_RSA_WITH_AES_128_CBC_SHA,
 	"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA":           tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
 	"TLS_RSA_WITH_3DES_EDE_CBC_SHA":                 tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
 }
 // defaultCipherSuites is the ordered list of all the cipher
@ -86,6 +93,15 @@ var supportedCurves = map[string]tls.CurveID{
 	"P521":   tls.CurveP521,
 }
 // supportedCertKeyTypes is all the key types that are supported
 // for certificates that are obtained through ACME.
 var supportedCertKeyTypes = map[string]certcrypto.KeyType{
 	"RSA2048": certcrypto.RSA2048,
 	"RSA4096": certcrypto.RSA4096,
 	"P256":    certcrypto.EC256,
 	"P384":    certcrypto.EC384,
 }
 // defaultCurves is the list of only the curves we want to use
 // by default, in descending order of preference.
 //