From 4f27f4b0020a0715be830e6f557fa04fa850b0cb Mon Sep 17 00:00:00 2001
From: Mariano Cano <mariano.cano@gmail.com>
Date: Wed, 28 Jul 2021 13:56:05 -0700
Subject: [PATCH] Change default ciphersuites to newer names.

---
 authority/config/config.go      |  3 ++-
 authority/config/tls_options.go | 19 ++++++++-----------
 2 files changed, 10 insertions(+), 12 deletions(-)

diff --git a/authority/config/config.go b/authority/config/config.go
index 4d7592ac..7c6de130 100644
--- a/authority/config/config.go
+++ b/authority/config/config.go
@@ -189,9 +189,10 @@ func (c *Config) Validate() error {
 	switch {
 	case c.Address == "":
 		return errors.New("address cannot be empty")
-
 	case len(c.DNSNames) == 0:
 		return errors.New("dnsNames cannot be empty")
+	case c.AuthorityConfig == nil:
+		return errors.New("authority cannot be nil")
 	}
 
 	// Options holds the RA/CAS configuration.
diff --git a/authority/config/tls_options.go b/authority/config/tls_options.go
index ed61cfc9..0db202e5 100644
--- a/authority/config/tls_options.go
+++ b/authority/config/tls_options.go
@@ -15,8 +15,9 @@ var (
 	// DefaultTLSRenegotiation default TLS connection renegotiation policy.
 	DefaultTLSRenegotiation = false // Never regnegotiate.
 	// DefaultTLSCipherSuites specifies default step ciphersuite(s).
+	// These are TLS 1.0 - 1.2 cipher suites.
 	DefaultTLSCipherSuites = CipherSuites{
-		"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
+		"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
 		"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
 	}
 	// ApprovedTLSCipherSuites smallstep approved ciphersuites.
@@ -26,25 +27,21 @@ var (
 		"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
 		"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
 		"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-		"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
+		"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
 		"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
 		"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
 		"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
 		"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
 		"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-		"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+		"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
 	}
 	// DefaultTLSOptions represents the default TLS version as well as the cipher
 	// suites used in the TLS certificates.
 	DefaultTLSOptions = TLSOptions{
-		CipherSuites: CipherSuites{
-			"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
-			"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-			"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-		},
-		MinVersion:    1.2,
-		MaxVersion:    1.2,
-		Renegotiation: false,
+		CipherSuites:  DefaultTLSCipherSuites,
+		MinVersion:    DefaultTLSMinVersion,
+		MaxVersion:    DefaultTLSMaxVersion,
+		Renegotiation: DefaultTLSRenegotiation,
 	}
 )