Add configurable TLS profiles for listeners

Add a tls_profile option that controls the minimum TLS version and allowed cipher suites for STARTTLS/TLS listeners. Profiles align with the Mozilla SSL Configuration Generator guidelines. Profiles: default - Go standard library defaults (no explicit constraints) modern - TLS 1.3+ only (Mozilla modern) intermediate - TLS 1.2+ with AEAD + ECDHE suites only (Mozilla intermediate) legacy - TLS 1.0+ with all Go cipher suites including insecure ones
2026-05-10 01:14:23 -06:00 · 2026-05-08 13:04:09 -04:00
parent d634a89b14
commit 8dcd6c8067
3 changed files with 81 additions and 1 deletions
--- a/main.go
+++ b/main.go
@@ -281,6 +281,7 @@ func generateUUID() string {
 }

 func getTLSConfig() *tls.Config {
+	// Certificate loading / validation
 	if *localCert == "" || *localKey == "" {
 		log.Fatal().
 			Str("cert_file", *localCert).
@@ -295,9 +296,60 @@ func getTLSConfig() *tls.Config {
 			Msg("cannot load X509 keypair")
 	}

-	return &tls.Config{
+	// TLS profile configuration
+	// tls.Config.CipherSuites only affects TLS 1.0–1.2.
+
+	// Base config: Go defaults unless overridden.
+	conf := &tls.Config{
 		Certificates: []tls.Certificate{cert},
 	}
+
+	profile := strings.ToLower(strings.TrimSpace(*tlsProfile))
+	if profile == "" {
+		profile = "default"
+	}
+
+	switch profile {
+	case "default":
+		// Go defaults (leave MinVersion/MaxVersion/CipherSuites unset).
+
+	case "modern":
+		// TLS 1.3+.
+		conf.MinVersion = tls.VersionTLS13
+
+	case "intermediate":
+		// TLS 1.2+ with AEAD + ECDHE cipher suites only.
+		// Mozilla "intermediate" — AEAD + ECDHE only.
+		conf.MinVersion = tls.VersionTLS12
+		conf.CipherSuites = []uint16{
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+		}
+
+	case "legacy":
+		// Last resort: TLS 1.0+ and everything Go exposes for TLS 1.0–1.2.
+		conf.MinVersion = tls.VersionTLS10
+
+		allSuites := []uint16{}
+		for _, cs := range tls.CipherSuites() {
+			allSuites = append(allSuites, cs.ID)
+		}
+		for _, cs := range tls.InsecureCipherSuites() {
+			allSuites = append(allSuites, cs.ID)
+		}
+		conf.CipherSuites = allSuites
+
+	default:
+		log.Warn().
+			Str("tls_profile", profile).
+			Msg("unknown tls_profile; using default")
+	}
+
+	return conf
 }

 func watchAliasFile() {