From 6b34f0fdafacfa3e1716a2cab64e0841b7d2f36c Mon Sep 17 00:00:00 2001
From: carelinus <36591699+carelinus@users.noreply.github.com>
Date: Mon, 1 Jul 2019 10:41:32 +0200
Subject: [PATCH] more secure TLS configuration including TLS 1.3 (requires Go
 >= 1.12)

---
 webhook.go | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/webhook.go b/webhook.go
index 5d41077..fde501b 100644
--- a/webhook.go
+++ b/webhook.go
@@ -1,6 +1,7 @@
 package main
 
 import (
+	"crypto/tls"
 	"encoding/json"
 	"flag"
 	"fmt"
@@ -190,8 +191,26 @@ func main() {
 	n.UseHandler(router)
 
 	if *secure {
+		os.Setenv("GODEBUG", os.Getenv("GODEBUG")+",tls13=1") // enable TLS 1.3 in GO 1.12
+		cfg := &tls.Config{
+			MinVersion:               tls.VersionTLS12,
+			CurvePreferences:         []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
+			PreferServerCipherSuites: true,
+			CipherSuites: []uint16{
+				tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+				tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+				tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
+				tls.TLS_RSA_WITH_AES_256_CBC_SHA,
+			},
+		}
+		srv := &http.Server{
+			Addr:         fmt.Sprintf("%s:%d", *ip, *port),
+			Handler:      n,
+			TLSConfig:    cfg,
+			TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler), 0),
+		}
 		log.Printf("serving hooks on https://%s:%d%s", *ip, *port, hooksURL)
-		log.Fatal(http.ListenAndServeTLS(fmt.Sprintf("%s:%d", *ip, *port), *cert, *key, n))
+		log.Fatal(srv.ListenAndServeTLS(*cert, *key))
 	} else {
 		log.Printf("serving hooks on http://%s:%d%s", *ip, *port, hooksURL)
 		log.Fatal(http.ListenAndServe(fmt.Sprintf("%s:%d", *ip, *port), n))