mirror of
https://github.com/securego/gosec.git
synced 2024-12-26 04:25:52 +00:00
Regenerate the TLS configuration based on latest Mozilla's recommended ciphers
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
This commit is contained in:
Cosmin Cojocar
Grant Murphy
parent
76ce9f0147
commit
81b6dc8872
3 changed files with 28 additions and 79 deletions
2
go.sum
2
go.sum
|
|
@ -43,6 +43,7 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2 h1:VklqNMn3ovrHsnt90Pveol
|
||||||
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
|
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
|
||||||
golang.org/x/crypto v0.0.0-20190907121410-71b5226ff739 h1:Gc7JIyxvWgD6m+QmVryY0MstDORNYididDGxgZ6Tnpk=
|
golang.org/x/crypto v0.0.0-20190907121410-71b5226ff739 h1:Gc7JIyxvWgD6m+QmVryY0MstDORNYididDGxgZ6Tnpk=
|
||||||
golang.org/x/crypto v0.0.0-20190907121410-71b5226ff739/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
|
golang.org/x/crypto v0.0.0-20190907121410-71b5226ff739/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
|
||||||
|
golang.org/x/crypto v0.0.0-20190909091759-094676da4a83 h1:mgAKeshyNqWKdENOnQsg+8dRTwZFIwFaO3HNl52sweA=
|
||||||
golang.org/x/crypto v0.0.0-20190909091759-094676da4a83/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
|
golang.org/x/crypto v0.0.0-20190909091759-094676da4a83/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
|
||||||
golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
|
golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
|
||||||
golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
|
golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
|
||||||
|
|
@ -62,6 +63,7 @@ golang.org/x/sys v0.0.0-20190422165155-953cdadca894 h1:Cz4ceDQGXuKRnVBDTS23GTn/p
|
||||||
golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||||
golang.org/x/sys v0.0.0-20190907184412-d223b2b6db03 h1:b3JiLYVaG9kHjTcOQIoUh978YMCO7oVTQQBLudU47zY=
|
golang.org/x/sys v0.0.0-20190907184412-d223b2b6db03 h1:b3JiLYVaG9kHjTcOQIoUh978YMCO7oVTQQBLudU47zY=
|
||||||
golang.org/x/sys v0.0.0-20190907184412-d223b2b6db03/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
golang.org/x/sys v0.0.0-20190907184412-d223b2b6db03/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||||
|
golang.org/x/sys v0.0.0-20190909082730-f460065e899a h1:mIzbOulag9/gXacgxKlFVwpCOWSfBT3/pDyyCwGA9as=
|
||||||
golang.org/x/sys v0.0.0-20190909082730-f460065e899a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
golang.org/x/sys v0.0.0-20190909082730-f460065e899a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||||
golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
|
golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
|
||||||
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
|
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
|
||||||
|
|
|
||||||
|
|
@ -12,19 +12,12 @@ func NewModernTLSCheck(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
|
||||||
return &insecureConfigTLS{
|
return &insecureConfigTLS{
|
||||||
MetaData: gosec.MetaData{ID: id},
|
MetaData: gosec.MetaData{ID: id},
|
||||||
requiredType: "crypto/tls.Config",
|
requiredType: "crypto/tls.Config",
|
||||||
MinVersion: 0x0303,
|
MinVersion: 0x0304,
|
||||||
MaxVersion: 0x0303,
|
MaxVersion: 0x0304,
|
||||||
goodCiphers: []string{
|
goodCiphers: []string{
|
||||||
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
|
"TLS_AES_128_GCM_SHA256",
|
||||||
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
|
"TLS_AES_256_GCM_SHA384",
|
||||||
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
|
"TLS_CHACHA20_POLY1305_SHA256",
|
||||||
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
|
|
||||||
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
|
|
||||||
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
|
|
||||||
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
|
|
||||||
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
|
|
||||||
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
|
|
||||||
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
|
|
||||||
},
|
},
|
||||||
}, []ast.Node{(*ast.CompositeLit)(nil)}
|
}, []ast.Node{(*ast.CompositeLit)(nil)}
|
||||||
}
|
}
|
||||||
|
|
@ -35,39 +28,20 @@ func NewIntermediateTLSCheck(id string, conf gosec.Config) (gosec.Rule, []ast.No
|
||||||
return &insecureConfigTLS{
|
return &insecureConfigTLS{
|
||||||
MetaData: gosec.MetaData{ID: id},
|
MetaData: gosec.MetaData{ID: id},
|
||||||
requiredType: "crypto/tls.Config",
|
requiredType: "crypto/tls.Config",
|
||||||
MinVersion: 0x0301,
|
MinVersion: 0x0303,
|
||||||
MaxVersion: 0x0303,
|
MaxVersion: 0x0304,
|
||||||
goodCiphers: []string{
|
goodCiphers: []string{
|
||||||
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
|
"TLS_AES_128_GCM_SHA256",
|
||||||
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
|
"TLS_AES_256_GCM_SHA384",
|
||||||
|
"TLS_CHACHA20_POLY1305_SHA256",
|
||||||
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
|
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
|
||||||
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
|
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
|
||||||
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
|
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
|
||||||
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
|
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
|
||||||
|
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
|
||||||
|
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
|
||||||
"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
|
"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
|
||||||
"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
|
"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
|
||||||
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
|
|
||||||
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
|
|
||||||
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
|
|
||||||
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
|
|
||||||
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
|
|
||||||
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
|
|
||||||
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
|
|
||||||
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
|
|
||||||
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
|
|
||||||
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
|
|
||||||
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
|
|
||||||
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
|
|
||||||
"TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
|
|
||||||
"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
|
|
||||||
"TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
|
|
||||||
"TLS_RSA_WITH_AES_128_GCM_SHA256",
|
|
||||||
"TLS_RSA_WITH_AES_256_GCM_SHA384",
|
|
||||||
"TLS_RSA_WITH_AES_128_CBC_SHA256",
|
|
||||||
"TLS_RSA_WITH_AES_256_CBC_SHA256",
|
|
||||||
"TLS_RSA_WITH_AES_128_CBC_SHA",
|
|
||||||
"TLS_RSA_WITH_AES_256_CBC_SHA",
|
|
||||||
"TLS_RSA_WITH_3DES_EDE_CBC_SHA",
|
|
||||||
},
|
},
|
||||||
}, []ast.Node{(*ast.CompositeLit)(nil)}
|
}, []ast.Node{(*ast.CompositeLit)(nil)}
|
||||||
}
|
}
|
||||||
|
|
@ -78,64 +52,37 @@ func NewOldTLSCheck(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
|
||||||
return &insecureConfigTLS{
|
return &insecureConfigTLS{
|
||||||
MetaData: gosec.MetaData{ID: id},
|
MetaData: gosec.MetaData{ID: id},
|
||||||
requiredType: "crypto/tls.Config",
|
requiredType: "crypto/tls.Config",
|
||||||
MinVersion: 0x0300,
|
MinVersion: 0x0301,
|
||||||
MaxVersion: 0x0303,
|
MaxVersion: 0x0304,
|
||||||
goodCiphers: []string{
|
goodCiphers: []string{
|
||||||
|
"TLS_AES_128_GCM_SHA256",
|
||||||
|
"TLS_AES_256_GCM_SHA384",
|
||||||
|
"TLS_CHACHA20_POLY1305_SHA256",
|
||||||
|
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
|
||||||
|
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
|
||||||
|
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
|
||||||
|
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
|
||||||
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
|
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
|
||||||
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
|
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
|
||||||
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
|
|
||||||
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
|
|
||||||
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
|
|
||||||
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
|
|
||||||
"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
|
"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
|
||||||
"TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
|
|
||||||
"TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
|
|
||||||
"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
|
"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
|
||||||
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
|
|
||||||
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
|
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
|
||||||
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
|
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
|
||||||
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
|
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
|
||||||
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
|
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
|
||||||
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
|
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
|
||||||
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
|
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
|
||||||
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
|
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
|
||||||
|
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
|
||||||
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
|
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
|
||||||
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
|
|
||||||
"TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
|
|
||||||
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
|
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
|
||||||
"TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
|
|
||||||
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
|
|
||||||
"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
|
|
||||||
"TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
|
|
||||||
"TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
|
|
||||||
"TLS_RSA_WITH_AES_128_GCM_SHA256",
|
"TLS_RSA_WITH_AES_128_GCM_SHA256",
|
||||||
"TLS_RSA_WITH_AES_256_GCM_SHA384",
|
"TLS_RSA_WITH_AES_256_GCM_SHA384",
|
||||||
"TLS_RSA_WITH_AES_128_CBC_SHA256",
|
"TLS_RSA_WITH_AES_128_CBC_SHA256",
|
||||||
"TLS_RSA_WITH_AES_256_CBC_SHA256",
|
"TLS_RSA_WITH_AES_256_CBC_SHA256",
|
||||||
"TLS_RSA_WITH_AES_128_CBC_SHA",
|
"TLS_RSA_WITH_AES_128_CBC_SHA",
|
||||||
"TLS_RSA_WITH_AES_256_CBC_SHA",
|
"TLS_RSA_WITH_AES_256_CBC_SHA",
|
||||||
"TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
|
|
||||||
"TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
|
|
||||||
"TLS_RSA_WITH_3DES_EDE_CBC_SHA",
|
"TLS_RSA_WITH_3DES_EDE_CBC_SHA",
|
||||||
"TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384",
|
|
||||||
"TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384",
|
|
||||||
"TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
|
|
||||||
"TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
|
|
||||||
"TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
|
|
||||||
"TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
|
|
||||||
"TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
|
|
||||||
"TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
|
|
||||||
"TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
|
|
||||||
"TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256",
|
|
||||||
"TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
|
|
||||||
"TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
|
|
||||||
"TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
|
|
||||||
"TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
|
|
||||||
"TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
|
|
||||||
"TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
|
|
||||||
"TLS_DHE_RSA_WITH_SEED_CBC_SHA",
|
|
||||||
"TLS_DHE_DSS_WITH_SEED_CBC_SHA",
|
|
||||||
"TLS_RSA_WITH_SEED_CBC_SHA",
|
|
||||||
},
|
},
|
||||||
}, []ast.Node{(*ast.CompositeLit)(nil)}
|
}, []ast.Node{(*ast.CompositeLit)(nil)}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -1027,7 +1027,7 @@ import (
|
||||||
func main() {
|
func main() {
|
||||||
tr := &http.Transport{
|
tr := &http.Transport{
|
||||||
TLSClientConfig: &tls.Config{CipherSuites: []uint16{
|
TLSClientConfig: &tls.Config{CipherSuites: []uint16{
|
||||||
tls.TLS_RSA_WITH_RC4_128_SHA,
|
tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
|
||||||
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
||||||
},},
|
},},
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue