~untrusted-ci-dev-bot/ubuntu-push/ubuntu-push-ubuntu-xenial-1169

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
/*
 Copyright 2013-2014 Canonical Ltd.

 This program is free software: you can redistribute it and/or modify it
 under the terms of the GNU General Public License version 3, as published
 by the Free Software Foundation.

 This program is distributed in the hope that it will be useful, but
 WITHOUT ANY WARRANTY; without even the implied warranties of
 MERCHANTABILITY, SATISFACTORY QUALITY, or FITNESS FOR A PARTICULAR
 PURPOSE.  See the GNU General Public License for more details.

 You should have received a copy of the GNU General Public License along
 with this program.  If not, see <http://www.gnu.org/licenses/>.
*/

package server

import (
	"crypto/tls"
	"fmt"

	"launchpad.net/ubuntu-push/config"
)

// A TLSParsedConfig holds and can be used to parse a tls server config.
type TLSParsedConfig struct {
	ParsedKeyPEMFile  string `json:"key_pem_file"`
	ParsedCertPEMFile string `json:"cert_pem_file"`
	// private post-processed config
	cert tls.Certificate
}

func (cfg *TLSParsedConfig) LoadPEMs(baseDir string) error {
	keyPEMBlock, err := config.LoadFile(cfg.ParsedKeyPEMFile, baseDir)
	if err != nil {
		return fmt.Errorf("reading key_pem_file: %v", err)
	}
	certPEMBlock, err := config.LoadFile(cfg.ParsedCertPEMFile, baseDir)
	if err != nil {
		return fmt.Errorf("reading cert_pem_file: %v", err)
	}
	cfg.cert, err = tls.X509KeyPair(certPEMBlock, keyPEMBlock)
	return err
}

func (cfg *TLSParsedConfig) TLSServerConfig() *tls.Config {
	tlsCfg := &tls.Config{
		Certificates:           []tls.Certificate{cfg.cert},
		SessionTicketsDisabled: true,
		// order from crypto/tls/cipher_suites.go, no RC4
		CipherSuites: []uint16{
			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
			tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
			tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
			tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
			tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
			tls.TLS_RSA_WITH_AES_128_CBC_SHA,
			tls.TLS_RSA_WITH_AES_256_CBC_SHA,
		},
		MinVersion: tls.VersionTLS10,
	}
	return tlsCfg
}