From 72d0debde6bf01b5fdce0a4f3dc2b35cba28241a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?W=C3=A8i=20C=C5=8Dngru=C3=AC?= <crvv.mail@gmail.com>
Date: Tue, 26 Feb 2019 09:39:30 +0800
Subject: [PATCH] caddytls: add TLS 1.3 support and remove CBC ciphers (#2399)

---
 caddytls/config.go     | 11 ++---------
 caddytls/setup.go      |  4 ++++
 caddytls/setup_test.go |  4 ++--
 3 files changed, 8 insertions(+), 11 deletions(-)

diff --git a/caddytls/config.go b/caddytls/config.go
index 214eb73b8..939f3dfbd 100644
--- a/caddytls/config.go
+++ b/caddytls/config.go
@@ -407,7 +407,7 @@ func SetDefaultTLSParams(config *Config) {
 		config.ProtocolMinVersion = tls.VersionTLS12
 	}
 	if config.ProtocolMaxVersion == 0 {
-		config.ProtocolMaxVersion = tls.VersionTLS12
+		config.ProtocolMaxVersion = tls.VersionTLS13
 	}
 
 	// Prefer server cipher suites
@@ -430,6 +430,7 @@ var SupportedProtocols = map[string]uint16{
 	"tls1.0": tls.VersionTLS10,
 	"tls1.1": tls.VersionTLS11,
 	"tls1.2": tls.VersionTLS12,
+	"tls1.3": tls.VersionTLS13,
 }
 
 // GetSupportedProtocolName returns the protocol name
@@ -489,10 +490,6 @@ var defaultCiphers = []uint16{
 	tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
 	tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
 	tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
-	tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
-	tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
-	tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
-	tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
 }
 
 // List of ciphers we should prefer if native AESNI support is missing
@@ -503,10 +500,6 @@ var defaultCiphersNonAESNI = []uint16{
 	tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
 	tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
 	tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-	tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
-	tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
-	tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
-	tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
 }
 
 // getPreferredDefaultCiphers returns an appropriate cipher suite to use, depending on
diff --git a/caddytls/setup.go b/caddytls/setup.go
index 02a694bd8..798c74340 100644
--- a/caddytls/setup.go
+++ b/caddytls/setup.go
@@ -34,6 +34,10 @@ import (
 )
 
 func init() {
+	// opt-in TLS 1.3 for Go1.12
+	// TODO: remove this line when Go1.13 is released.
+	os.Setenv("GODEBUG", os.Getenv("GODEBUG")+",tls13=1")
+
 	caddy.RegisterPlugin("tls", caddy.Plugin{Action: setupTLS})
 
 	// ensure the default Storage implementation is plugged in
diff --git a/caddytls/setup_test.go b/caddytls/setup_test.go
index e973eb2b4..3c5ded0e4 100644
--- a/caddytls/setup_test.go
+++ b/caddytls/setup_test.go
@@ -75,8 +75,8 @@ func TestSetupParseBasic(t *testing.T) {
 	if cfg.ProtocolMinVersion != tls.VersionTLS12 {
 		t.Errorf("Expected 'tls1.2 (0x0303)' as ProtocolMinVersion, got %#v", cfg.ProtocolMinVersion)
 	}
-	if cfg.ProtocolMaxVersion != tls.VersionTLS12 {
-		t.Errorf("Expected 'tls1.2 (0x0303)' as ProtocolMaxVersion, got %v", cfg.ProtocolMaxVersion)
+	if cfg.ProtocolMaxVersion != tls.VersionTLS13 {
+		t.Errorf("Expected 'tls1.3 (0x0304)' as ProtocolMaxVersion, got %#v", cfg.ProtocolMaxVersion)
 	}
 
 	// Cipher checks