Skip to content

Commit 492abc3

Browse files
felixbuenemannfelixbuenemann
committed
fix(model): allow tls 1.3 cipher suite names
updates the model cipher suites validation to allow tls 1.3 ciphers that start with TLS_ and use underscore instead of dash as separator.
1 parent 406f0bb commit 492abc3

2 files changed

Lines changed: 3 additions & 3 deletions

File tree

model/model.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -212,7 +212,7 @@ func newCertificate(cert string, key string) *Certificate {
212212
type SSLConfig struct {
213213
Enforce bool `key:"enforce" constraint:"(?i)^(true|false)$"`
214214
Protocols string `key:"protocols" constraint:"^((SSLv[2-3]|TLSv1(?:\\.[1-3])?)\\s*)+$"`
215-
Ciphers string `key:"ciphers" constraint:"^((([aek]?[A-Z\\d]{2,}([rd]|v\\d(\\.\\d)?)?([!+-]?\\b|\\B))+|([A-Z\\d][A-Z\\d-]+[A-Z\\d]([!+]?\\b|\\B))+)(:?@(STRENGTH|SECLEVEL=[0-5]))?(:([!+-]\\b)?|$))*$"`
215+
Ciphers string `key:"ciphers" constraint:"^((([aek]?[A-Z\\d]{2,}([rd]|v\\d(\\.\\d)?)?([!+-]?\\b|\\B))+|(([A-Z\\d][A-Z\\d-]+|TLS_[A-Z\\d][A-Z\\d_]+)[A-Z\\d]([!+]?\\b|\\B))+)(:?@(STRENGTH|SECLEVEL=[0-5]))?(:([!+-]\\b)?|$))*$"`
216216
SessionCache string `key:"sessionCache" constraint:"^(off|none|((builtin(:[1-9]\\d*)?|shared:\\w+:[1-9]\\d*[kKmM]?)\\s*){1,2})$"`
217217
SessionTimeout string `key:"sessionTimeout" constraint:"^[1-9]\\d*(ms|[smhdwMy])?$"`
218218
UseSessionTickets bool `key:"useSessionTickets" constraint:"(?i)^(true|false)$"`

model/model_validation_test.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -304,11 +304,11 @@ func TestValidSSLProtocols(t *testing.T) {
304304
}
305305

306306
func TestInvalidSSLCiphers(t *testing.T) {
307-
testInvalidValues(t, newTestSSLConfig, "Ciphers", "ciphers", []string{"0", "-1", "foobar", "!DSS", "@STRENGTH"})
307+
testInvalidValues(t, newTestSSLConfig, "Ciphers", "ciphers", []string{"0", "-1", "foobar", "!DSS", "@STRENGTH", "!TLS_AES_128_GCM_SHA256"})
308308
}
309309

310310
func TestValidSSLCiphers(t *testing.T) {
311-
testValidValues(t, newTestSSLConfig, "Ciphers", "ciphers", []string{"DHE-RSA-AES256-SHA", "DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA", "EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5", "DEFAULT@SECLEVEL=3:-TLSv1.2+DH", "TLS13:TLSv1.2", "SUITEB128ONLY", "kEECDH+aRSA!RC4"})
311+
testValidValues(t, newTestSSLConfig, "Ciphers", "ciphers", []string{"DHE-RSA-AES256-SHA", "DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA", "EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5", "DEFAULT@SECLEVEL=3:-TLSv1.2+DH", "TLS13:TLSv1.2", "SUITEB128ONLY", "kEECDH+aRSA!RC4", "TLS_AES_128_GCM_SHA256:EECDH+AES128+SHA256"})
312312
}
313313

314314
func TestInvalidSSLSessionCache(t *testing.T) {

0 commit comments

Comments
 (0)