1 files changed, 46 insertions, 3 deletions
diff --git a/src/daq/s5proxy/src/s5proxy/config.go b/src/daq/s5proxy/src/s5proxy/config.go
index 9bd5b3e..d8c61e0 100644
--- a/src/daq/s5proxy/src/s5proxy/config.go
+++ b/src/daq/s5proxy/src/s5proxy/config.go
@@ -33,6 +33,7 @@
 package main
 
 import (
+	"crypto/tls"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -170,6 +171,49 @@ func (h *HeaderOperation) Parse() (err error) {
 	return nil
 }
 
+type TLSProtocolVersion uint16
+
+type TLSCipher uint16
+
+type TLSCurve tls.CurveID
+
+type TLSSessionTicketKey [32]byte
+
+type TLSConfig struct {
+	CertFile                 string              `json:"certificate"`
+	KeyFile                  string              `json:"certificate-key"`
+	MinVersion               TLSProtocolVersion  `json:"min-protocol-version"`
+	MaxVersion               TLSProtocolVersion  `json:"max-protocol-version"`
+	CipherSuites             []TLSCipher         `json:"ciphers"`
+	PreferServerCipherSuites bool                `json:"prefer-server-ciphers"`
+	CurvePreferences         []TLSCurve          `json:"ecdh-curves"`
+	SessionTicketsDisabled   bool                `json:"session-tickets"`
+	SessionTicketKey         TLSSessionTicketKey `json:"session-ticket-key"`
+}
+
+func (t TLSConfig) ToGoTLSConfig() (*tls.Config, error) {
+	cert, err := tls.LoadX509KeyPair(t.CertFile, t.KeyFile)
+	if err != nil {
+		return nil, err
+	}
+
+	// TODO: generate cfg from t
+	cfg := &tls.Config{
+		Certificates:             []tls.Certificate{cert},
+		MinVersion:               tls.VersionTLS10,
+		CurvePreferences:         []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
+		PreferServerCipherSuites: true,
+		CipherSuites: []uint16{
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+			tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_RSA_WITH_AES_256_CBC_SHA,
+		},
+	}
+
+	return cfg, nil
+}
+
 type SFiveDuration int64
 
 func (d *SFiveDuration) UnmarshalText(data []byte) error {
@@ -198,8 +242,7 @@ type Config struct {
 	Protocol       ProtocolType      `json:"protocol"`
 	Redirect2HTTPS RedirectCode      `json:"redirect2https"`
 	ConnectAddr    string            `json:"connect"`
-	CertFile       string            `json:"cert"`
-	KeyFile        string            `json:"key"`
+	TLS            TLSConfig         `json:"tls"`
 	RequestHeader  []HeaderOperation `json:"request_header"`
 	ResponseHeader []HeaderOperation `json:"response_header"`
 	SFive          SFiveConf         `json:"sfive"`
@@ -232,7 +275,7 @@ func readConfig(configfile string) (conf *Config, err error) {
 	}
 
 	if conf.Protocol == HTTPAndHTTPS || conf.Protocol == HTTPSOnly {
-		if conf.CertFile == "" || conf.KeyFile == "" {
+		if conf.TLS.CertFile == "" || conf.TLS.KeyFile == "" {
 			return nil, errors.New("HTTPs is enabled but no certificate and/or key file is supplied")
 		}
 	}