internal: update TLS Suite (#19076)

* internal: update TLS Suite

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* disable chacha20 due to fips

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

go.mod

@@ -1,8 +1,6 @@
 module goauthentik.io
 
-go 1.24.3
-
-toolchain go1.24.6
+go 1.25.5
 
 require (
 	beryju.io/ldap v0.1.0

internal/utils/tls.go

@@ -1,25 +1,39 @@
 package utils
 
-import "crypto/tls"
+import (
+	"crypto/tls"
+	"slices"
+)
 
 func GetTLSConfig() *tls.Config {
+	// Based on
+	// https://ssl-config.mozilla.org/#server=go&version=1.25&config=intermediate&guideline=5.7
 	tlsConfig := &tls.Config{
 		MinVersion: tls.VersionTLS12,
-		MaxVersion: tls.VersionTLS12,
+		CurvePreferences: []tls.CurveID{
+			tls.X25519,
+			tls.CurveP256,
+			tls.CurveP384,
+		},
+		PreferServerCipherSuites: true,
+		CipherSuites:             []uint16{},
 	}
 
-	// Insecure SWEET32 attack ciphers, TLS config uses a fallback
-	insecureCiphersIds := []uint16{
+	excludedCiphers := []uint16{
+		// ChaCha20 is not FIPS validated
+		tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+		tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+		// Insecure SWEET32 attack ciphers, TLS config uses a fallback
 		tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
 		tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
 	}
+
 	defaultSecureCiphers := []uint16{}
 	for _, cs := range tls.CipherSuites() {
-		for _, icsId := range insecureCiphersIds {
-			if cs.ID != icsId {
-				defaultSecureCiphers = append(defaultSecureCiphers, cs.ID)
-			}
+		if slices.Contains(excludedCiphers, cs.ID) {
+			continue
 		}
+		defaultSecureCiphers = append(defaultSecureCiphers, cs.ID)
 	}
 	tlsConfig.CipherSuites = defaultSecureCiphers
 	return tlsConfig