From dd2492985785a7a3f68a8eb1a19becb3a16a3dad Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 30 Oct 2025 05:46:52 +0000
Subject: [PATCH 1/3] Initial plan


From 91db649486cd7da38d7e4edc9752270897878324 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 30 Oct 2025 05:52:46 +0000
Subject: [PATCH 2/3] Disable 3DES cipher suites to prevent Sweet32 attack

Co-authored-by: nomeguy <85475922+nomeguy@users.noreply.github.com>
---
 service/proxy.go           |  9 ++++++
 service/tls_config_test.go | 62 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 71 insertions(+)
 create mode 100644 service/tls_config_test.go

diff --git a/service/proxy.go b/service/proxy.go
index bf8f17f..06e81c5 100644
--- a/service/proxy.go
+++ b/service/proxy.go
@@ -307,6 +307,15 @@ func Start() {
 			Addr: fmt.Sprintf(":%d", gatewayHttpsPort),
 			TLSConfig: &tls.Config{
 				MinVersion: tls.VersionTLS12,
+				CipherSuites: []uint16{
+					// Secure cipher suites for TLS 1.2 (excluding 3DES to prevent Sweet32 attack)
+					tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+					tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+					tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+					tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+					tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+					tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+				},
 			},
 		}
 
diff --git a/service/tls_config_test.go b/service/tls_config_test.go
new file mode 100644
index 0000000..f14632e
--- /dev/null
+++ b/service/tls_config_test.go
@@ -0,0 +1,62 @@
+// Copyright 2023 The casbin Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package service
+
+import (
+	"crypto/tls"
+	"testing"
+)
+
+// TestTLSConfigExcludes3DES verifies that the TLS configuration excludes
+// 3DES cipher suites that are vulnerable to the Sweet32 attack
+func TestTLSConfigExcludes3DES(t *testing.T) {
+	// Create the TLS config as it would be in the actual server
+	tlsConfig := &tls.Config{
+		MinVersion: tls.VersionTLS12,
+		CipherSuites: []uint16{
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+		},
+	}
+
+	// Define vulnerable 3DES cipher suites
+	vulnerableCiphers := []uint16{
+		tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+		tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+	}
+
+	// Verify that none of the vulnerable ciphers are in the allowed list
+	for _, vulnerableCipher := range vulnerableCiphers {
+		for _, allowedCipher := range tlsConfig.CipherSuites {
+			if vulnerableCipher == allowedCipher {
+				t.Errorf("Vulnerable 3DES cipher suite 0x%04X found in allowed cipher suites (Sweet32 vulnerability)", vulnerableCipher)
+			}
+		}
+	}
+
+	// Verify minimum TLS version is set to 1.2 or higher
+	if tlsConfig.MinVersion < tls.VersionTLS12 {
+		t.Errorf("Minimum TLS version should be 1.2 or higher, got: %d", tlsConfig.MinVersion)
+	}
+
+	// Verify that we have at least some secure cipher suites configured
+	if len(tlsConfig.CipherSuites) == 0 {
+		t.Error("No cipher suites configured - default cipher suites may include vulnerable 3DES")
+	}
+}

From 61b020b747e0f555c497e4f56a270a7fc5ad9232 Mon Sep 17 00:00:00 2001
From: Gucheng <85475922+nomeguy@users.noreply.github.com>
Date: Thu, 30 Oct 2025 14:34:27 +0800
Subject: [PATCH 3/3] Delete service/tls_config_test.go

---
 service/tls_config_test.go | 62 --------------------------------------
 1 file changed, 62 deletions(-)
 delete mode 100644 service/tls_config_test.go

diff --git a/service/tls_config_test.go b/service/tls_config_test.go
deleted file mode 100644
index f14632e..0000000
--- a/service/tls_config_test.go
+++ /dev/null
@@ -1,62 +0,0 @@
-// Copyright 2023 The casbin Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package service
-
-import (
-	"crypto/tls"
-	"testing"
-)
-
-// TestTLSConfigExcludes3DES verifies that the TLS configuration excludes
-// 3DES cipher suites that are vulnerable to the Sweet32 attack
-func TestTLSConfigExcludes3DES(t *testing.T) {
-	// Create the TLS config as it would be in the actual server
-	tlsConfig := &tls.Config{
-		MinVersion: tls.VersionTLS12,
-		CipherSuites: []uint16{
-			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
-			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
-		},
-	}
-
-	// Define vulnerable 3DES cipher suites
-	vulnerableCiphers := []uint16{
-		tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
-		tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
-	}
-
-	// Verify that none of the vulnerable ciphers are in the allowed list
-	for _, vulnerableCipher := range vulnerableCiphers {
-		for _, allowedCipher := range tlsConfig.CipherSuites {
-			if vulnerableCipher == allowedCipher {
-				t.Errorf("Vulnerable 3DES cipher suite 0x%04X found in allowed cipher suites (Sweet32 vulnerability)", vulnerableCipher)
-			}
-		}
-	}
-
-	// Verify minimum TLS version is set to 1.2 or higher
-	if tlsConfig.MinVersion < tls.VersionTLS12 {
-		t.Errorf("Minimum TLS version should be 1.2 or higher, got: %d", tlsConfig.MinVersion)
-	}
-
-	// Verify that we have at least some secure cipher suites configured
-	if len(tlsConfig.CipherSuites) == 0 {
-		t.Error("No cipher suites configured - default cipher suites may include vulnerable 3DES")
-	}
-}