From 682b28cbda3a64ffc2f1560c8982cdeb40b49a96 Mon Sep 17 00:00:00 2001
From: Darien Raymond <admin@v2ray.com>
Date: Mon, 10 Sep 2018 23:55:54 +0200
Subject: [PATCH] fix tls.AllowInsecureCiphers

---
 transport/internet/tls/config.go      |  2 +-
 transport/internet/tls/config_test.go | 11 +++++++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/transport/internet/tls/config.go b/transport/internet/tls/config.go
index 96b94d921..9cf08a776 100644
--- a/transport/internet/tls/config.go
+++ b/transport/internet/tls/config.go
@@ -155,7 +155,7 @@ func (c *Config) GetTLSConfig(opts ...Option) *tls.Config {
 		opt(config)
 	}
 
-	if c.AllowInsecureCiphers && len(config.CipherSuites) == 0 {
+	if !c.AllowInsecureCiphers && len(config.CipherSuites) == 0 {
 		config.CipherSuites = []uint16{
 			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
 			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
diff --git a/transport/internet/tls/config_test.go b/transport/internet/tls/config_test.go
index 87c055687..15fe59514 100644
--- a/transport/internet/tls/config_test.go
+++ b/transport/internet/tls/config_test.go
@@ -62,3 +62,14 @@ func TestExpiredCertificate(t *testing.T) {
 	assert(err, IsNil)
 	assert(x509Cert.NotAfter.After(time.Now()), IsTrue)
 }
+
+func TestInsecureCertificates(t *testing.T) {
+	c := &Config{
+		AllowInsecureCiphers: true,
+	}
+
+	tlsConfig := c.GetTLSConfig()
+	if len(tlsConfig.CipherSuites) > 0 {
+		t.Fatal("Unexpected tls cipher suites list: ", tlsConfig.CipherSuites)
+	}
+}