diff --git a/.github/workflows/typos.toml b/.github/workflows/typos.toml index 7ee9554f0cdc3..4197628dfd7d0 100644 --- a/.github/workflows/typos.toml +++ b/.github/workflows/typos.toml @@ -14,8 +14,12 @@ darcula = "darcula" Hashi = "Hashi" trialer = "trialer" encrypter = "encrypter" -hel = "hel" # as in helsinki -pn = "pn" # this is used as proto node +# as in helsinki +hel = "hel" +# this is used as proto node +pn = "pn" +# typos doesn't like the EDE in TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA +EDE = "EDE" [files] extend-exclude = [ diff --git a/cli/server.go b/cli/server.go index 6a35e8aaa95ea..9c80ab1d9b8c7 100644 --- a/cli/server.go +++ b/cli/server.go @@ -1569,6 +1569,19 @@ func generateSelfSignedCertificate() (*tls.Certificate, error) { return &cert, nil } +// defaultCipherSuites is a list of safe cipher suites that we default to. This +// is different from Golang's list of defaults, which unfortunately includes +// `TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA`. +var defaultCipherSuites = func() []uint16 { + ret := []uint16{} + + for _, suite := range tls.CipherSuites() { + ret = append(ret, suite.ID) + } + + return ret +}() + // configureServerTLS returns the TLS config used for the Coderd server // connections to clients. A logger is passed in to allow printing warning // messages that do not block startup. @@ -1599,6 +1612,8 @@ func configureServerTLS(ctx context.Context, logger slog.Logger, tlsMinVersion, return nil, err } tlsConfig.CipherSuites = cipherIDs + } else { + tlsConfig.CipherSuites = defaultCipherSuites } switch tlsClientAuth { diff --git a/cli/server_internal_test.go b/cli/server_internal_test.go index 4e4f3b01c6ce5..cbfc60a1ff2d7 100644 --- a/cli/server_internal_test.go +++ b/cli/server_internal_test.go @@ -20,6 +20,28 @@ import ( "github.com/coder/serpent" ) +func Test_configureServerTLS(t *testing.T) { + t.Parallel() + t.Run("DefaultNoInsecureCiphers", func(t *testing.T) { + t.Parallel() + logger := slogtest.Make(t, nil) + cfg, err := configureServerTLS(context.Background(), logger, "tls12", "none", nil, nil, "", nil, false) + require.NoError(t, err) + + require.NotEmpty(t, cfg) + + insecureCiphers := tls.InsecureCipherSuites() + for _, cipher := range cfg.CipherSuites { + for _, insecure := range insecureCiphers { + if cipher == insecure.ID { + t.Logf("Insecure cipher found by default: %s", insecure.Name) + t.Fail() + } + } + } + }) +} + func Test_configureCipherSuites(t *testing.T) { t.Parallel()