修复 CVE-2016-2183

2025-08-07 21:28:50 +08:00 · 2022-04-07 15:11:14 +08:00
parent 500a11612c
commit 2b580067a2
3 changed files with 41 additions and 22 deletions
--- a/server/admin/server.go
+++ b/server/admin/server.go
@@ -2,6 +2,7 @@
 package admin

 import (
+	"crypto/tls"
 	"embed"
 	"net/http"
 	"net/http/pprof"
@@ -69,7 +70,25 @@ func StartAdmin() {
 	}

 	base.Info("Listen admin", base.Cfg.AdminAddr)
-	err := http.ListenAndServeTLS(base.Cfg.AdminAddr, base.Cfg.CertFile, base.Cfg.CertKey, r)
+
+	// 修复 CVE-2016-2183
+	cipherSuites := tls.CipherSuites()
+	selectedCipherSuites := make([]uint16, 0, len(cipherSuites))
+	for _, s := range cipherSuites {
+		selectedCipherSuites = append(selectedCipherSuites, s.ID)
+	}
+	// 设置tls信息
+	tlsConfig := &tls.Config{
+		NextProtos:   []string{"http/1.1"},
+		MinVersion:   tls.VersionTLS12,
+		CipherSuites: selectedCipherSuites,
+	}
+	srv := &http.Server{
+		Addr:      base.Cfg.AdminAddr,
+		Handler:   r,
+		TLSConfig: tlsConfig,
+	}
+	err := srv.ListenAndServeTLS(base.Cfg.CertFile, base.Cfg.CertKey)
 	if err != nil {
 		base.Fatal(err)
 	}
--- a/server/handler/server.go
+++ b/server/handler/server.go
@@ -19,11 +19,8 @@ func startTls() {
 	var (
 		err error

-		addr     = base.Cfg.ServerAddr
-		certFile = base.Cfg.CertFile
-		keyFile  = base.Cfg.CertKey
-		certs    = make([]tls.Certificate, 1)
-		ln       net.Listener
+		addr = base.Cfg.ServerAddr
+		ln   net.Listener
 	)

 	// 判断证书文件
@@ -36,16 +33,18 @@ func startTls() {
 	//	certs[0], err = tls.LoadX509KeyPair(certFile, keyFile)
 	// }

-	certs[0], err = tls.LoadX509KeyPair(certFile, keyFile)
-	if err != nil {
-		panic(err)
+	// 修复 CVE-2016-2183
+	cipherSuites := tls.CipherSuites()
+	selectedCipherSuites := make([]uint16, 0, len(cipherSuites))
+	for _, s := range cipherSuites {
+		selectedCipherSuites = append(selectedCipherSuites, s.ID)
 	}

 	// 设置tls信息
 	tlsConfig := &tls.Config{
 		NextProtos:   []string{"http/1.1"},
 		MinVersion:   tls.VersionTLS12,
-		Certificates: certs,
+		CipherSuites: selectedCipherSuites,
 		// InsecureSkipVerify: true,
 	}
 	srv := &http.Server{
@@ -66,7 +65,7 @@ func startTls() {
 	}

 	base.Info("listen server", addr)
-	err = srv.ServeTLS(ln, "", "")
+	err = srv.ServeTLS(ln, base.Cfg.CertFile, base.Cfg.CertKey)
 	if err != nil {
 		base.Fatal(err)
 	}