lib/httpserver: added tlsCipherSuites flag (#2468)

* lib/httpserver: added tlsCipherSuites flag

* lib/httpserver: compare lower case strings

* lib/httpserver: use EqualFold

* lib/httpserver: used flagutil.NewArray, supported only strings cipher suites

* lib/httpserver: updated flag description, added flag to documentation

* Update lib/httpserver/httpserver.go

Co-authored-by: Aliaksandr Valialkin <valyala@victoriametrics.com>

lib/httpserver/httpserver.go

@@ -30,9 +30,10 @@ import (
 )
 
 var (
-	tlsEnable   = flag.Bool("tls", false, "Whether to enable TLS (aka HTTPS) for incoming requests. -tlsCertFile and -tlsKeyFile must be set if -tls is set")
-	tlsCertFile = flag.String("tlsCertFile", "", "Path to file with TLS certificate. Used only if -tls is set. Prefer ECDSA certs instead of RSA certs as RSA certs are slower. The provided certificate file is automatically re-read every second, so it can be dynamically updated")
-	tlsKeyFile  = flag.String("tlsKeyFile", "", "Path to file with TLS key. Used only if -tls is set. The provided key file is automatically re-read every second, so it can be dynamically updated")
+	tlsEnable       = flag.Bool("tls", false, "Whether to enable TLS (aka HTTPS) for incoming requests. -tlsCertFile and -tlsKeyFile must be set if -tls is set")
+	tlsCertFile     = flag.String("tlsCertFile", "", "Path to file with TLS certificate. Used only if -tls is set. Prefer ECDSA certs instead of RSA certs as RSA certs are slower. The provided certificate file is automatically re-read every second, so it can be dynamically updated")
+	tlsKeyFile      = flag.String("tlsKeyFile", "", "Path to file with TLS key. Used only if -tls is set. The provided key file is automatically re-read every second, so it can be dynamically updated")
+	tlsCipherSuites = flagutil.NewArray("tlsCipherSuites", "Cipher suites names for TLS encryption. For example, TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA. Used only if -tls flag is set")
 
 	pathPrefix = flag.String("http.pathPrefix", "", "An optional prefix to add to all the paths handled by http server. For example, if '-http.pathPrefix=/foo/bar' is set, "+
 		"then all the http requests will be handled on '/foo/bar/*' paths. This may be useful for proxied requests. "+
@@ -100,10 +101,18 @@ func Serve(addr string, rh RequestHandler) {
 		var certLock sync.Mutex
 		var certDeadline uint64
 		var cert *tls.Certificate
+		var cipherSuites []uint16
 		c, err := tls.LoadX509KeyPair(*tlsCertFile, *tlsKeyFile)
 		if err != nil {
 			logger.Fatalf("cannot load TLS cert from tlsCertFile=%q, tlsKeyFile=%q: %s", *tlsCertFile, *tlsKeyFile, err)
 		}
+		if len(*tlsCipherSuites) != 0 {
+			collectedCipherSuites, err := collectCipherSuites(*tlsCipherSuites)
+			if err != nil {
+				logger.Fatalf("cannot use TLS cipher suites from tlsCipherSuites=%q: %s", *tlsCipherSuites, err)
+			}
+			cipherSuites = collectedCipherSuites
+		}
 		cert = &c
 		cfg := &tls.Config{
 			MinVersion:               tls.VersionTLS12,
@@ -121,6 +130,7 @@ func Serve(addr string, rh RequestHandler) {
 				}
 				return cert, nil
 			},
+			CipherSuites: cipherSuites,
 		}
 		ln = tls.NewListener(ln, cfg)
 	}
@@ -687,3 +697,21 @@ func GetRequestURI(r *http.Request) string {
 	}
 	return requestURI + delimiter + queryArgs
 }
+
+func collectCipherSuites(definedCipherSuites []string) ([]uint16, error) {
+	var cipherSuites []uint16
+
+	supportedCipherSuites := tls.CipherSuites()
+	supportedCipherSuitesMap := make(map[string]uint16, len(supportedCipherSuites))
+	for _, scf := range supportedCipherSuites {
+		supportedCipherSuitesMap[strings.ToLower(scf.Name)] = scf.ID
+	}
+	for _, gotSuite := range definedCipherSuites {
+		id, ok := supportedCipherSuitesMap[strings.ToLower(gotSuite)]
+		if !ok {
+			return nil, fmt.Errorf("got unsupported cipher suite name: %s", gotSuite)
+		}
+		cipherSuites = append(cipherSuites, id)
+	}
+	return cipherSuites, nil
+}