From 11de43cb82514a51e6d4977871b83f0a209db87e Mon Sep 17 00:00:00 2001
From: Peter Dave Hello <hsu@peterdavehello.org>
Date: Thu, 12 May 2022 05:15:36 +0800
Subject: [PATCH] Improve DoT server TLS cipher suites

This removes some VULNERABLE, or potentially VULNERABLE ciphers, like
Triple DES and Obsoleted CBC ciphers, for the DoT server.
---
 server/server.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/server/server.go b/server/server.go
index 0d7da4561..fff23072f 100644
--- a/server/server.go
+++ b/server/server.go
@@ -190,6 +190,14 @@ func createTLSServer(address string, certFile string, keyFile string) (*dns.Serv
 		TLSConfig: &tls.Config{
 			Certificates: []tls.Certificate{cer},
 			MinVersion:   tls.VersionTLS12,
+			CipherSuites: []uint16{
+				tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+				tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+				tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+				tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+				tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+				tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+			},
 		},
 		Handler: dns.NewServeMux(),
 		NotifyStartedFunc: func() {