Improve TLS settings

2015-08-11 15:41:59 +02:00 · 2015-08-11 15:41:59 +02:00 · 44b28de95e
parent 6308071545
commit 44b28de95e
4 changed files with 29 additions and 16 deletions
--- a/README.md
+++ b/README.md
@ -33,11 +33,15 @@ The default values are:
 hostname = "localhost"
 port     = 3000
 urltable = "$XDG_CONFIG_HOME/breve"
-cert     = "/usr/share/tls/breve.crt"
-key      = "/usr/share/tls/breve.key"
+tls {
+  cert  = "/usr/share/tls/breve.crt"
+  key   = "/usr/share/tls/breve.key"
+  chain = []
+}
 ```

 `urltable` is the location of breve url hashtable
+`chain` is a list of chain certificate files

 ## License

--- a/breve.cabal
+++ b/breve.cabal
@ -29,7 +29,7 @@ executable breve
  other-modules:     Application, Views, Breve.Settings,
                     Breve.Generator, Breve.UrlTable
  other-extensions:  OverloadedStrings
-  build-depends:     base >=4.8 && <5.0, warp, warp-tls,
+  build-depends:     base >=4.8 && <5.0, warp, warp-tls, tls,
                     Spock, blaze-html, http-types,
                     wai, wai-middleware-static, wai-extra,
                     transformers, mtl,
--- a/src/Breve/Settings.hs
+++ b/src/Breve/Settings.hs
@ -1,21 +1,25 @@
 {-# LANGUAGE OverloadedStrings #-}
+
 module Breve.Settings where

 import Control.Monad                   (when)
 import System.Environment              (lookupEnv)
 import System.Environment.XDG.BaseDir
 import System.Directory                (doesFileExist)
+import Data.Text                       (Text, pack)
 import Data.Configurator
 import Data.Monoid
-import Data.Text                       (Text, pack)
-import Network.Wai.Handler.WarpTLS     (tlsSettings, TLSSettings)
+
+import Network.Wai.Handler.WarpTLS     (TLSSettings (..), tlsSettingsChain)
+import Network.TLS                     (Version (..))
+import Network.TLS.Extra               (ciphersuite_strong)

 data AppSettings = AppSettings
-  { bindHost :: Text
-  , bindPort :: Int
-  , bindUrl  :: Text
-  , urlTable :: FilePath
-  , tlsSetts :: TLSSettings
+  { bindHost    :: Text
+  , bindPort    :: Int
+  , bindUrl     :: Text
+  , urlTable    :: FilePath
+  , tlsSettings :: TLSSettings
  }


@ -33,9 +37,10 @@ settings = do
  config <- load [Required configPath]
  host   <- lookupDefault "localhost"                config "hostname"
  port   <- lookupDefault 3000                       config "port"    
-  cert   <- lookupDefault "/usr/share/tls/breve.crt" config "cert"
-  key    <- lookupDefault "/usr/share/tls/breve.key" config "key"
  urls   <- lookupDefault urlsPath                   config "urltable"
+  cert   <- lookupDefault "/usr/share/tls/breve.crt" config "tls.cert"
+  key    <- lookupDefault "/usr/share/tls/breve.key" config "tls.key"
+  chain  <- lookupDefault []                         config "tls.chain"

  createEmptyIfMissing urls

@ -43,11 +48,15 @@ settings = do
      url  = if port == 443
               then base
               else base <> ":" <> pack (show port)
+      tls = (tlsSettingsChain cert chain key)
+        { tlsAllowedVersions = [TLS12, TLS11]
+        , tlsCiphers = ciphersuite_strong
+        }

  return AppSettings
    { bindHost = host
    , bindPort = port
    , bindUrl  = url <> "/"
    , urlTable = urls
-    , tlsSetts = tlsSettings cert key
+    , tlsSettings = tls
    }
--- a/src/Main.hs
+++ b/src/Main.hs
@ -13,8 +13,8 @@ import Network.Wai.Handler.WarpTLS (runTLS, TLSSettings)
 import Network.Wai.Handler.Warp    (run, defaultSettings, setPort)

 runBreve :: TLSSettings -> Int -> SpockT IO () -> IO ()
-runBreve tls port spock =
-  spockAsApp (spockT id spock) >>= runTLS tls settings
+runBreve tlsSettings port spock =
+  spockAsApp (spockT id spock) >>= runTLS tlsSettings settings
  where settings = setPort port defaultSettings


@ -34,4 +34,4 @@ main = do
  when (bindPort == 443) (forkIO' $ runTLSRedirect bindHost)

  putStrLn ("Serving on " ++ unpack bindUrl)
-  runBreve tlsSetts bindPort (app bindUrl table)
+  runBreve tlsSettings bindPort (app bindUrl table)