From ffccc2e1bd7aa2466bd9e631e976bfd7ca46f225 Mon Sep 17 00:00:00 2001 From: Ivan Kozlovic Date: Thu, 29 Apr 2021 12:50:23 -0600 Subject: [PATCH] [FIXED] TLS: default ciphers not set when tls enabled from command line If running the server with command lines: ``` nats-server --tlsverify --tlscert "cert.pem" --tlskey "key.pem" ``` the default ciphers would not be set, however, they would using this equivalent config: ``` tls: { verify: true cert_file: "cert.pem" key_file: "key.pem" } ``` Reported by @DavidSimner Signed-off-by: Ivan Kozlovic --- server/opts.go | 1 + server/opts_test.go | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/server/opts.go b/server/opts.go index cc5c08aca1..10b085492d 100644 --- a/server/opts.go +++ b/server/opts.go @@ -4342,6 +4342,7 @@ func overrideTLS(opts *Options) error { tc.KeyFile = opts.TLSKey tc.CaFile = opts.TLSCaCert tc.Verify = opts.TLSVerify + tc.Ciphers = defaultCipherSuites() var err error opts.TLSConfig, err = GenTLSConfig(&tc) diff --git a/server/opts_test.go b/server/opts_test.go index 0c75b8e480..d79d001c2c 100644 --- a/server/opts_test.go +++ b/server/opts_test.go @@ -1522,6 +1522,10 @@ func TestConfigureOptions(t *testing.T) { if opts.TLSConfig == nil || !opts.TLS { t.Fatal("Expected TLSConfig to be set") } + // Check that we use default TLS ciphers + if !reflect.DeepEqual(opts.TLSConfig.CipherSuites, defaultCipherSuites()) { + t.Fatalf("Default ciphers not set, expected %v, got %v", defaultCipherSuites(), opts.TLSConfig.CipherSuites) + } } func TestClusterPermissionsConfig(t *testing.T) {