rpc: set tls options (#168)

* rpc: set tls options

* build: golangci-lint v1.30.0

.github/workflows/go.yml

@@ -15,7 +15,7 @@ jobs:
       - name: Check out source
         uses: actions/checkout@v2
       - name: Install Linters
-        run: "curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s -- -b $(go env GOPATH)/bin v1.29.0"
+        run: "curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s -- -b $(go env GOPATH)/bin v1.30.0"
       - name: Build
         env:
           GO111MODULE: "on"

rpc/client.go

@@ -38,7 +38,19 @@ func setup(user, pass, addr string, cert []byte, n wsrpc.Notifier) *client {
 	// Create TLS options.
 	pool := x509.NewCertPool()
 	pool.AppendCertsFromPEM(cert)
-	tc := &tls.Config{RootCAs: pool}
+	tc := &tls.Config{
+		MinVersion:       tls.VersionTLS12,
+		CurvePreferences: []tls.CurveID{tls.X25519, tls.CurveP256},
+		CipherSuites: []uint16{ // Only applies to TLS 1.2. TLS 1.3 ciphersuites are not configurable.
+			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+		},
+		RootCAs: pool,
+	}
 	tlsOpt := wsrpc.WithTLSConfig(tc)
 
 	// Create authentication options.