From 0cc062297e2c27f9a1abcb1a00172d1e0281f8cb Mon Sep 17 00:00:00 2001
From: ale <ale@incal.net>
Date: Thu, 14 Dec 2017 08:46:15 +0000
Subject: [PATCH] Use HTTP/2-compatible TLS ciphers

---
 serverutil/tls.go | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/serverutil/tls.go b/serverutil/tls.go
index 926488f..7e5adff 100644
--- a/serverutil/tls.go
+++ b/serverutil/tls.go
@@ -60,6 +60,11 @@ func (c *TLSAuthConfig) match(req *http.Request) bool {
 	return false
 }
 
+var serverCiphers = []uint16{
+	tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+	tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+}
+
 // TLSServerConfig configures a TLS server with client authentication
 // and authorization based on the client X509 certificate.
 type TLSServerConfig struct {
@@ -87,7 +92,7 @@ func (c *TLSServerConfig) TLSConfig() (*tls.Config, error) {
 		Certificates:             []tls.Certificate{cert},
 		ClientAuth:               tls.RequireAndVerifyClientCert,
 		ClientCAs:                cas,
-		CipherSuites:             []uint16{tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384},
+		CipherSuites:             serverCiphers,
 		MinVersion:               tls.VersionTLS12,
 		PreferServerCipherSuites: true,
 	}
-- 
GitLab