From 0667683e4d6b25dd17d5e182f255b71989e4e133 Mon Sep 17 00:00:00 2001
From: Alex X <alexey.khit@gmail.com>
Date: Fri, 7 Jun 2024 17:57:36 +0300
Subject: [PATCH] Restore support old cipher suites after go1.22 #1172

---
 pkg/tcp/request.go | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/pkg/tcp/request.go b/pkg/tcp/request.go
index 88da83b6..13463cd7 100644
--- a/pkg/tcp/request.go
+++ b/pkg/tcp/request.go
@@ -19,11 +19,11 @@ func Do(req *http.Request) (*http.Response, error) {
 
 	switch req.URL.Scheme {
 	case "httpx":
-		secure = &tls.Config{InsecureSkipVerify: true}
+		secure = insecureConfig
 		req.URL.Scheme = "https"
 	case "https":
 		if hostname := req.URL.Hostname(); IsIP(hostname) {
-			secure = &tls.Config{InsecureSkipVerify: true}
+			secure = insecureConfig
 		}
 	}
 
@@ -144,6 +144,22 @@ type key string
 var connKey = key("conn")
 var secureKey = key("secure")
 
+var insecureConfig = &tls.Config{
+	InsecureSkipVerify: true,
+	CipherSuites: []uint16{
+		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+
+		// this cipher suites disabled starting from https://tip.golang.org/doc/go1.22
+		// but cameras can't work without them https://github.com/AlexxIT/go2rtc/issues/1172
+		tls.TLS_RSA_WITH_AES_128_GCM_SHA256, // insecure
+		tls.TLS_RSA_WITH_AES_256_GCM_SHA384, // insecure
+	},
+}
+
 func WithConn() (context.Context, *net.Conn) {
 	pconn := new(net.Conn)
 	return context.WithValue(context.Background(), connKey, pconn), pconn