Merge pull request #21 from buffrr/tls-improvements

TLS improvements

tls.go

@@ -24,6 +24,19 @@ func newTLSConfig(host string, rrs []*dns.TLSA, nameCheck bool) *tls.Config {
 		VerifyConnection:   verifyConnection(rrs, nameCheck),
 		ServerName:         host,
 		MinVersion:         tls.VersionTLS12,
+		// Supported TLS 1.2 cipher suites
+		// Crypto package does automatic cipher suite ordering
+		CipherSuites: []uint16{
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+			tls.TLS_AES_128_GCM_SHA256,
+			tls.TLS_AES_256_GCM_SHA384,
+			tls.TLS_CHACHA20_POLY1305_SHA256,
+		},
 	}
 }
 

tunnel.go

@@ -123,7 +123,9 @@ func (h *tunneler) Tunnel(ctx context.Context, clientConn *proxy.Conn, network,
 	// used by the remote server
 	clientTLSConfig := h.mitm.configForTLSADomain(tlsaDomain)
 	if alpn {
-		clientTLSConfig.NextProtos = []string{remote.ConnectionState().NegotiatedProtocol}
+		if serverProto := remote.ConnectionState().NegotiatedProtocol; serverProto != "" {
+			clientTLSConfig.NextProtos = []string{serverProto}
+		}
 	}
 
 	clientTLS := tls.Server(clientConn, clientTLSConfig)