How to set TLS cipher for Go server?

Question

I'm currently using the following listen and serve command to run a secure websocket/file server:

http.ListenAndServeTLS(":443", "site.crt","site.key", router)

However, I want to set the cipher to TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 and also set a min SSL/TLS version.

How can I do this?

I think I need to use this Config structure somehow, but I'm not sure how to do this.

Answer 1

2015: You can see an example in secrpc/tls_server.go:

tls.Listen("tcp", addr, &tls.Config{
    Certificates: []tls.Certificate{cert},
    CipherSuites: []uint16{
        tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
        tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
    },
    MinVersion:               tls.VersionTLS12,
    PreferServerCipherSuites: true,
})

See also go/issues/11047 for an example using ListenAndServeTLS: once you have defined your Config, you define your server:

server := &http.Server{Addr: ":4000", Handler: nil, TLSConfig: config}
server.L

---

In 2021, you also have "Automatic cipher suite ordering in crypto/tls" from Filippo Valsorda:

Go 1.17, recently released, takes over cipher suite preference ordering for all Go users.

While Config.CipherSuites still controls which TLS 1.0–1.2 cipher suites are enabled, it is not used for ordering, and Config.PreferServerCipherSuites is now ignored.

Instead, crypto/tls makes all ordering decisions, based on the available cipher suites, the local hardware, and the inferred remote hardware capabilities.