Harden tls on all places (#5184)

PR 2938 hardens tls though there are other places that uses TLS
as well and setTLSDefaults are not invoked in other paths.

This PR hardens tls on all places.

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This commit is contained in:
Yong Tang 2022-02-17 12:26:08 -08:00 committed by GitHub
parent f8a02aaf58
commit c0c72e5894
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 24 additions and 20 deletions

View File

@ -11,6 +11,22 @@ import (
"time"
)
func setTLSDefaults(ctls *tls.Config) {
ctls.MinVersion = tls.VersionTLS12
ctls.MaxVersion = tls.VersionTLS13
ctls.CipherSuites = []uint16{
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
}
}
// NewTLSConfigFromArgs returns a TLS config based upon the passed
// in list of arguments. Typically these come straight from the
// Corefile.
@ -76,7 +92,10 @@ func NewTLSConfig(certPath, keyPath, caPath string) (*tls.Config, error) {
return nil, err
}
return &tls.Config{Certificates: []tls.Certificate{cert}, RootCAs: roots}, nil
tlsConfig := &tls.Config{Certificates: []tls.Certificate{cert}, RootCAs: roots}
setTLSDefaults(tlsConfig)
return tlsConfig, nil
}
// NewTLSClientConfig returns a TLS config for a client connection
@ -87,7 +106,10 @@ func NewTLSClientConfig(caPath string) (*tls.Config, error) {
return nil, err
}
return &tls.Config{RootCAs: roots}, nil
tlsConfig := &tls.Config{RootCAs: roots}
setTLSDefaults(tlsConfig)
return tlsConfig, nil
}
func loadRoots(caPath string) (*x509.CertPool, error) {

View File

@ -19,22 +19,6 @@ func setup(c *caddy.Controller) error {
return nil
}
func setTLSDefaults(tls *ctls.Config) {
tls.MinVersion = ctls.VersionTLS12
tls.MaxVersion = ctls.VersionTLS13
tls.CipherSuites = []uint16{
ctls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
ctls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
ctls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
ctls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
ctls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
ctls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
ctls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
ctls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
ctls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
}
}
func parseTLS(c *caddy.Controller) error {
config := dnsserver.GetConfig(c)
@ -81,8 +65,6 @@ func parseTLS(c *caddy.Controller) error {
// NewTLSConfigFromArgs only sets RootCAs, so we need to let ClientCAs refer to it.
tls.ClientCAs = tls.RootCAs
setTLSDefaults(tls)
config.TLSConfig = tls
}
return nil