From 9943b9bafef5f283288708835beffd9d5c86dba7 Mon Sep 17 00:00:00 2001
From: Chelsea Holland Komlo <me@chelseakomlo.com>
Date: Thu, 7 Jun 2018 17:20:42 -0400
Subject: [PATCH] enable more tls 1.2 ciphers

---
 helper/tlsutil/config.go      | 12 ++++++++++--
 helper/tlsutil/config_test.go | 19 ++++++++++++-------
 2 files changed, 22 insertions(+), 9 deletions(-)

diff --git a/helper/tlsutil/config.go b/helper/tlsutil/config.go
index 91d2cfb66..8202b08db 100644
--- a/helper/tlsutil/config.go
+++ b/helper/tlsutil/config.go
@@ -42,9 +42,17 @@ var supportedTLSCiphers = map[string]uint16{
 }
 
 // defaultTLSCiphers are the TLS Ciphers that are supported by default
-var defaultTLSCiphers = []string{"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
-	"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+var defaultTLSCiphers = []string{
 	"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+	"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+	"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
+	"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+	"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+	"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+	"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+	"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+	"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+	"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
 }
 
 // RegionSpecificWrapper is used to invoke a static Region and turns a
diff --git a/helper/tlsutil/config_test.go b/helper/tlsutil/config_test.go
index f8eca41aa..f02520510 100644
--- a/helper/tlsutil/config_test.go
+++ b/helper/tlsutil/config_test.go
@@ -696,9 +696,16 @@ func TestConfig_ParseCiphers_Default(t *testing.T) {
 	require := require.New(t)
 
 	expectedCiphers := []uint16{
-		tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
-		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
 		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+		tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
 	}
 
 	parsedCiphers, err := ParseCiphers("")
@@ -709,11 +716,9 @@ func TestConfig_ParseCiphers_Default(t *testing.T) {
 func TestConfig_ParseCiphers_Invalid(t *testing.T) {
 	require := require.New(t)
 
-	invalidCiphers := []string{"TLS_RSA_WITH_3DES_EDE_CBC_SHA",
-		"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
-		"TLS_RSA_WITH_RC4_128_SHA",
-		"TLS_ECDHE_RSA_WITH_RC4_128_SHA",
-		"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
+	invalidCiphers := []string{
+		"TLS_RSA_RSA_WITH_RC4_128_SHA",
+		"INVALID_CIPHER",
 	}
 
 	for _, cipher := range invalidCiphers {