TLS hardening (#2938)

Automatically submitted.

plugin/tls/tls.go

@@ -25,6 +25,23 @@ func setup(c *caddy.Controller) error {
 	return nil
 }
 
+func setTLSDefaults(tls *ctls.Config) {
+	tls.MinVersion = ctls.VersionTLS12
+	tls.MaxVersion = ctls.VersionTLS13
+	tls.CipherSuites = []uint16{
+		ctls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+		ctls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+		ctls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+		ctls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+		ctls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+		ctls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+		ctls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+		ctls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+		ctls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+	}
+	tls.PreferServerCipherSuites = true
+}
+
 func parseTLS(c *caddy.Controller) error {
 	config := dnsserver.GetConfig(c)
 
@@ -70,6 +87,9 @@ func parseTLS(c *caddy.Controller) error {
 		tls.ClientAuth = clientAuth
 		// NewTLSConfigFromArgs only sets RootCAs, so we need to let ClientCAs refer to it.
 		tls.ClientCAs = tls.RootCAs
+
+		setTLSDefaults(tls)
+
 		config.TLSConfig = tls
 	}
 	return nil