mokey icon indicating copy to clipboard operation
mokey copied to clipboard

Published 20 hours ago verified publisher icon ubccr

Allow setting custom TLS ciphers

Open mattgahs opened this issue 2 years ago • 2 comments

Hello!

I need to disable some TLS ciphers in the mokey web service. What's the best way to do so?

Specifically:

TLSv1.2:

  • ECDHE-RSA-AES128-SHA256
  • ECDHE-RSA-CHACHA20-POLY1304

TLSv1.3:

  • TLS_AES_128_GCM_SHA256
  • TLS_CHACHA20_POLY1305_SHA256

Thanks!

mattgahs avatar Nov 06 '23 13:11 mattgahs

Looks like mokey might need some amendments in the code to implement the setting of this in the TOML file / via options from https://pkg.go.dev/net/http#hdr-Clients_and_Transports

For now I would recommend configuring a reverse proxy with the OS native NGINX / Apache or something like the SWAG docker.

Aterfax avatar Nov 06 '23 17:11 Aterfax

@mattgahs We currently do not support setting custom TLS ciphers. As @Aterfax mentioned, you have a few options:

  1. Run mokey behind nginx (or another webserver) using proxy pass and configure your custom ciphers there
  2. Modify the code here to support setting a custom tls.Config with your custom cipher list. see here

I'll add this issue as a feature so in the future we can support custom ciphers. If you do end up implementing option 2 feel free to submit a PR.

aebruno avatar Nov 07 '23 14:11 aebruno