mirror of
https://github.com/coredns/coredns.git
synced 2025-08-06 06:17:00 +02:00
Harden tls on all places (#5184)
PR 2938 hardens tls though there are other places that uses TLS as well and setTLSDefaults are not invoked in other paths. This PR hardens tls on all places. Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This commit is contained in:
parent
f8a02aaf58
commit
c0c72e5894
@ -11,6 +11,22 @@ import (
|
||||
"time"
|
||||
)
|
||||
|
||||
func setTLSDefaults(ctls *tls.Config) {
|
||||
ctls.MinVersion = tls.VersionTLS12
|
||||
ctls.MaxVersion = tls.VersionTLS13
|
||||
ctls.CipherSuites = []uint16{
|
||||
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
||||
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
||||
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
|
||||
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
|
||||
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
||||
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
||||
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
||||
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
||||
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
||||
}
|
||||
}
|
||||
|
||||
// NewTLSConfigFromArgs returns a TLS config based upon the passed
|
||||
// in list of arguments. Typically these come straight from the
|
||||
// Corefile.
|
||||
@ -76,7 +92,10 @@ func NewTLSConfig(certPath, keyPath, caPath string) (*tls.Config, error) {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return &tls.Config{Certificates: []tls.Certificate{cert}, RootCAs: roots}, nil
|
||||
tlsConfig := &tls.Config{Certificates: []tls.Certificate{cert}, RootCAs: roots}
|
||||
setTLSDefaults(tlsConfig)
|
||||
|
||||
return tlsConfig, nil
|
||||
}
|
||||
|
||||
// NewTLSClientConfig returns a TLS config for a client connection
|
||||
@ -87,7 +106,10 @@ func NewTLSClientConfig(caPath string) (*tls.Config, error) {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return &tls.Config{RootCAs: roots}, nil
|
||||
tlsConfig := &tls.Config{RootCAs: roots}
|
||||
setTLSDefaults(tlsConfig)
|
||||
|
||||
return tlsConfig, nil
|
||||
}
|
||||
|
||||
func loadRoots(caPath string) (*x509.CertPool, error) {
|
||||
|
@ -19,22 +19,6 @@ func setup(c *caddy.Controller) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func setTLSDefaults(tls *ctls.Config) {
|
||||
tls.MinVersion = ctls.VersionTLS12
|
||||
tls.MaxVersion = ctls.VersionTLS13
|
||||
tls.CipherSuites = []uint16{
|
||||
ctls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
||||
ctls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
||||
ctls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
|
||||
ctls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
|
||||
ctls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
||||
ctls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
||||
ctls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
||||
ctls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
||||
ctls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
||||
}
|
||||
}
|
||||
|
||||
func parseTLS(c *caddy.Controller) error {
|
||||
config := dnsserver.GetConfig(c)
|
||||
|
||||
@ -81,8 +65,6 @@ func parseTLS(c *caddy.Controller) error {
|
||||
// NewTLSConfigFromArgs only sets RootCAs, so we need to let ClientCAs refer to it.
|
||||
tls.ClientCAs = tls.RootCAs
|
||||
|
||||
setTLSDefaults(tls)
|
||||
|
||||
config.TLSConfig = tls
|
||||
}
|
||||
return nil
|
||||
|
Loading…
Reference in New Issue
Block a user