From d6438114d44541b6b7abcb8c804fd39cd15b4b94 Mon Sep 17 00:00:00 2001
From: Olaoluwa Osuntokun <laolu32@gmail.com>
Date: Fri, 21 Aug 2020 19:42:04 -0700
Subject: [PATCH] aperture: relax TLS requirements

In this commit, we modify our cipher suites and required TLS versions to
allow anything greater than TL 1.1. TLS 1.0 (sslv3) is broken so we
require versions that're safely above that. Without this change, widely
used clients such as `openssl` will fail to connect out to an Aperture
proxy.
---
 aperture.go | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/aperture.go b/aperture.go
index daa01cc..669a1a7 100644
--- a/aperture.go
+++ b/aperture.go
@@ -63,6 +63,7 @@ var (
 		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
 		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
 		tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
 	}
 )
 
@@ -323,7 +324,7 @@ func getTLSConfig(serverName string, autoCert bool) (*tls.Config, error) {
 		return &tls.Config{
 			GetCertificate: manager.GetCertificate,
 			CipherSuites:   http2TLSCipherSuites,
-			MinVersion:     tls.VersionTLS12,
+			MinVersion:     tls.VersionTLS10,
 		}, nil
 	}
 
@@ -399,7 +400,7 @@ func getTLSConfig(serverName string, autoCert bool) (*tls.Config, error) {
 	return &tls.Config{
 		Certificates: []tls.Certificate{certData},
 		CipherSuites: http2TLSCipherSuites,
-		MinVersion:   tls.VersionTLS12,
+		MinVersion:   tls.VersionTLS10,
 	}, nil
 }