Pull request: all: imp tls cipher selection

Closes #2993. Squashed commit of the following: commit 6c521e56de024bf92ab7489ed2289da6bce1f3dc Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Tue Jan 25 21:39:48 2022 +0300 all: imp tls cipher selection
2025-05-06 16:02:55 +03:00 · 2022-01-26 14:39:34 +03:00 · 2022-01-26 14:39:34 +03:00 · 504c54ab0e
commit 504c54ab0e
parent 90c17c79de
7 changed files with 52 additions and 62 deletions
--- a/internal/home/web.go
+++ b/internal/home/web.go
@ -10,6 +10,7 @@ import (
 	"time"

 	"github.com/AdguardTeam/AdGuardHome/internal/aghnet"
+	"github.com/AdguardTeam/AdGuardHome/internal/aghtls"
 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/log"
 	"github.com/AdguardTeam/golibs/netutil"
@ -34,14 +35,13 @@ const (
 )

 type webConfig struct {
+	clientFS     fs.FS
+	clientBetaFS fs.FS
+
 	BindHost     net.IP
 	BindPort     int
 	BetaBindPort int
 	PortHTTPS    int
-	firstRun     bool
-
-	clientFS     fs.FS
-	clientBetaFS fs.FS

 	// ReadTimeout is an option to pass to http.Server for setting an
 	// appropriate field.
@ -54,6 +54,8 @@ type webConfig struct {
 	// WriteTimeout is an option to pass to http.Server for setting an
 	// appropriate field.
 	WriteTimeout time.Duration
+
+	firstRun bool
 }

 // HTTPSServer - HTTPS Server
@ -263,9 +265,9 @@ func (web *Web) tlsServerLoop() {
 			Addr:     address,
 			TLSConfig: &tls.Config{
 				Certificates: []tls.Certificate{web.httpsServer.cert},
-				MinVersion:   tls.VersionTLS12,
 				RootCAs:      Context.tlsRoots,
-				CipherSuites: Context.tlsCiphers,
+				CipherSuites: aghtls.SaferCipherSuites(),
+				MinVersion:   tls.VersionTLS12,
 			},
 			Handler:           withMiddlewares(Context.mux, limitRequestBody),
 			ReadTimeout:       web.conf.ReadTimeout,