How to set TLS cipher for Go server?

I'm currently using the following listen and serve command to run a secure websocket/file server:

http.ListenAndServeTLS(":443", "site.crt","site.key", router)

However, I want to set the cipher to TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 and also set a min SSL/TLS version.

How can I do this?

I think I need to use this Config structure somehow, but I'm not sure how to do this.

2015: You can see an example in secrpc/tls_server.go:

tls.Listen("tcp", addr, &tls.Config{
	Certificates: []tls.Certificate{cert},
	CipherSuites: []uint16{
		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
	},
	MinVersion:               tls.VersionTLS12,
	PreferServerCipherSuites: true,
})

See also go/issues/11047 for an example using ListenAndServeTLS: once you have defined your Config, you define your server:

server := &http.Server{Addr: ":4000", Handler: nil, TLSConfig: config}
server.L

In 2021, you also have "Automatic cipher suite ordering in crypto/tls" from Filippo Valsorda:

> Go 1.17, recently released, takes over cipher suite preference ordering for all Go users.
>
> While Config.CipherSuites still controls which TLS 1.0–1.2 cipher suites are enabled, it is not used for ordering, and Config.PreferServerCipherSuites is now ignored.
>
> Instead, crypto/tls makes all ordering decisions, based on the available cipher suites, the local hardware, and the inferred remote hardware capabilities.