From 44b28de95eff0b8954ac491f3c4d9c5ee94f176f Mon Sep 17 00:00:00 2001 From: rnhmjoj Date: Tue, 11 Aug 2015 15:41:59 +0200 Subject: [PATCH] Improve TLS settings --- README.md | 8 ++++++-- breve.cabal | 2 +- src/Breve/Settings.hs | 29 +++++++++++++++++++---------- src/Main.hs | 6 +++--- 4 files changed, 29 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index 1110e19..8f557ca 100644 --- a/README.md +++ b/README.md @@ -33,11 +33,15 @@ The default values are: hostname = "localhost" port = 3000 urltable = "$XDG_CONFIG_HOME/breve" -cert = "/usr/share/tls/breve.crt" -key = "/usr/share/tls/breve.key" +tls { + cert = "/usr/share/tls/breve.crt" + key = "/usr/share/tls/breve.key" + chain = [] +} ``` `urltable` is the location of breve url hashtable +`chain` is a list of chain certificate files ## License diff --git a/breve.cabal b/breve.cabal index 7bbb44d..be22860 100644 --- a/breve.cabal +++ b/breve.cabal @@ -29,7 +29,7 @@ executable breve other-modules: Application, Views, Breve.Settings, Breve.Generator, Breve.UrlTable other-extensions: OverloadedStrings - build-depends: base >=4.8 && <5.0, warp, warp-tls, + build-depends: base >=4.8 && <5.0, warp, warp-tls, tls, Spock, blaze-html, http-types, wai, wai-middleware-static, wai-extra, transformers, mtl, diff --git a/src/Breve/Settings.hs b/src/Breve/Settings.hs index 9b4808a..1fa18ca 100644 --- a/src/Breve/Settings.hs +++ b/src/Breve/Settings.hs @@ -1,21 +1,25 @@ {-# LANGUAGE OverloadedStrings #-} + module Breve.Settings where import Control.Monad (when) import System.Environment (lookupEnv) import System.Environment.XDG.BaseDir import System.Directory (doesFileExist) +import Data.Text (Text, pack) import Data.Configurator import Data.Monoid -import Data.Text (Text, pack) -import Network.Wai.Handler.WarpTLS (tlsSettings, TLSSettings) + +import Network.Wai.Handler.WarpTLS (TLSSettings (..), tlsSettingsChain) +import Network.TLS (Version (..)) +import Network.TLS.Extra (ciphersuite_strong) data AppSettings = AppSettings - { bindHost :: Text - , bindPort :: Int - , bindUrl :: Text - , urlTable :: FilePath - , tlsSetts :: TLSSettings + { bindHost :: Text + , bindPort :: Int + , bindUrl :: Text + , urlTable :: FilePath + , tlsSettings :: TLSSettings } @@ -33,9 +37,10 @@ settings = do config <- load [Required configPath] host <- lookupDefault "localhost" config "hostname" port <- lookupDefault 3000 config "port" - cert <- lookupDefault "/usr/share/tls/breve.crt" config "cert" - key <- lookupDefault "/usr/share/tls/breve.key" config "key" urls <- lookupDefault urlsPath config "urltable" + cert <- lookupDefault "/usr/share/tls/breve.crt" config "tls.cert" + key <- lookupDefault "/usr/share/tls/breve.key" config "tls.key" + chain <- lookupDefault [] config "tls.chain" createEmptyIfMissing urls @@ -43,11 +48,15 @@ settings = do url = if port == 443 then base else base <> ":" <> pack (show port) + tls = (tlsSettingsChain cert chain key) + { tlsAllowedVersions = [TLS12, TLS11] + , tlsCiphers = ciphersuite_strong + } return AppSettings { bindHost = host , bindPort = port , bindUrl = url <> "/" , urlTable = urls - , tlsSetts = tlsSettings cert key + , tlsSettings = tls } diff --git a/src/Main.hs b/src/Main.hs index 2fa70cc..d95f5f7 100644 --- a/src/Main.hs +++ b/src/Main.hs @@ -13,8 +13,8 @@ import Network.Wai.Handler.WarpTLS (runTLS, TLSSettings) import Network.Wai.Handler.Warp (run, defaultSettings, setPort) runBreve :: TLSSettings -> Int -> SpockT IO () -> IO () -runBreve tls port spock = - spockAsApp (spockT id spock) >>= runTLS tls settings +runBreve tlsSettings port spock = + spockAsApp (spockT id spock) >>= runTLS tlsSettings settings where settings = setPort port defaultSettings @@ -34,4 +34,4 @@ main = do when (bindPort == 443) (forkIO' $ runTLSRedirect bindHost) putStrLn ("Serving on " ++ unpack bindUrl) - runBreve tlsSetts bindPort (app bindUrl table) \ No newline at end of file + runBreve tlsSettings bindPort (app bindUrl table) \ No newline at end of file