Add support for MaxVersion in tls.Options
This commit is contained in:
kmeekva
Traefiker Bot
parent
5f8fb6c226
commit
1f39083555
8 changed files with 72 additions and 0 deletions
|
|
@ -181,6 +181,57 @@ spec:
|
||||||
minVersion: VersionTLS13
|
minVersion: VersionTLS13
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Maximum TLS Version
|
||||||
|
|
||||||
|
We discourages the use of this setting to disable TLS1.3.
|
||||||
|
|
||||||
|
The right approach is to update the clients to support TLS1.3.
|
||||||
|
|
||||||
|
```toml tab="File (TOML)"
|
||||||
|
# Dynamic configuration
|
||||||
|
|
||||||
|
[tls.options]
|
||||||
|
|
||||||
|
[tls.options.default]
|
||||||
|
maxVersion = "VersionTLS13"
|
||||||
|
|
||||||
|
[tls.options.maxtls12]
|
||||||
|
maxVersion = "VersionTLS12"
|
||||||
|
```
|
||||||
|
|
||||||
|
```yaml tab="File (YAML)"
|
||||||
|
# Dynamic configuration
|
||||||
|
|
||||||
|
tls:
|
||||||
|
options:
|
||||||
|
default:
|
||||||
|
maxVersion: VersionTLS13
|
||||||
|
|
||||||
|
maxtls12:
|
||||||
|
maxVersion: VersionTLS12
|
||||||
|
```
|
||||||
|
|
||||||
|
```yaml tab="Kubernetes"
|
||||||
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
|
kind: TLSOption
|
||||||
|
metadata:
|
||||||
|
name: default
|
||||||
|
namespace: default
|
||||||
|
|
||||||
|
spec:
|
||||||
|
maxVersion: VersionTLS13
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
|
kind: TLSOption
|
||||||
|
metadata:
|
||||||
|
name: maxtls12
|
||||||
|
namespace: default
|
||||||
|
|
||||||
|
spec:
|
||||||
|
maxVersion: VersionTLS12
|
||||||
|
```
|
||||||
|
|
||||||
### Cipher Suites
|
### Cipher Suites
|
||||||
|
|
||||||
See [cipherSuites](https://godoc.org/crypto/tls#pkg-constants) for more information.
|
See [cipherSuites](https://godoc.org/crypto/tls#pkg-constants) for more information.
|
||||||
|
|
|
||||||
|
|
@ -318,6 +318,7 @@
|
||||||
[tls.options]
|
[tls.options]
|
||||||
[tls.options.Options0]
|
[tls.options.Options0]
|
||||||
minVersion = "foobar"
|
minVersion = "foobar"
|
||||||
|
maxVersion = "foobar"
|
||||||
cipherSuites = ["foobar", "foobar"]
|
cipherSuites = ["foobar", "foobar"]
|
||||||
sniStrict = true
|
sniStrict = true
|
||||||
[tls.options.Options0.clientAuth]
|
[tls.options.Options0.clientAuth]
|
||||||
|
|
@ -325,6 +326,7 @@
|
||||||
clientAuthType = "foobar"
|
clientAuthType = "foobar"
|
||||||
[tls.options.Options1]
|
[tls.options.Options1]
|
||||||
minVersion = "foobar"
|
minVersion = "foobar"
|
||||||
|
maxVersion = "foobar"
|
||||||
cipherSuites = ["foobar", "foobar"]
|
cipherSuites = ["foobar", "foobar"]
|
||||||
sniStrict = true
|
sniStrict = true
|
||||||
[tls.options.Options1.clientAuth]
|
[tls.options.Options1.clientAuth]
|
||||||
|
|
|
||||||
|
|
@ -349,6 +349,7 @@ tls:
|
||||||
options:
|
options:
|
||||||
Options0:
|
Options0:
|
||||||
minVersion: foobar
|
minVersion: foobar
|
||||||
|
maxVersion: foobar
|
||||||
cipherSuites:
|
cipherSuites:
|
||||||
- foobar
|
- foobar
|
||||||
- foobar
|
- foobar
|
||||||
|
|
@ -360,6 +361,7 @@ tls:
|
||||||
sniStrict: true
|
sniStrict: true
|
||||||
Options1:
|
Options1:
|
||||||
minVersion: foobar
|
minVersion: foobar
|
||||||
|
maxVersion: foobar
|
||||||
cipherSuites:
|
cipherSuites:
|
||||||
- foobar
|
- foobar
|
||||||
- foobar
|
- foobar
|
||||||
|
|
|
||||||
|
|
@ -482,6 +482,7 @@ func buildTLSOptions(ctx context.Context, client Client) map[string]tls.Options
|
||||||
|
|
||||||
tlsOptions[makeID(tlsOption.Namespace, tlsOption.Name)] = tls.Options{
|
tlsOptions[makeID(tlsOption.Namespace, tlsOption.Name)] = tls.Options{
|
||||||
MinVersion: tlsOption.Spec.MinVersion,
|
MinVersion: tlsOption.Spec.MinVersion,
|
||||||
|
MaxVersion: tlsOption.Spec.MaxVersion,
|
||||||
CipherSuites: tlsOption.Spec.CipherSuites,
|
CipherSuites: tlsOption.Spec.CipherSuites,
|
||||||
ClientAuth: tls.ClientAuth{
|
ClientAuth: tls.ClientAuth{
|
||||||
CAFiles: clientCAs,
|
CAFiles: clientCAs,
|
||||||
|
|
|
||||||
|
|
@ -20,6 +20,7 @@ type TLSOption struct {
|
||||||
// TLSOptionSpec configures TLS for an entry point
|
// TLSOptionSpec configures TLS for an entry point
|
||||||
type TLSOptionSpec struct {
|
type TLSOptionSpec struct {
|
||||||
MinVersion string `json:"minVersion,omitempty"`
|
MinVersion string `json:"minVersion,omitempty"`
|
||||||
|
MaxVersion string `json:"maxVersion,omitempty"`
|
||||||
CipherSuites []string `json:"cipherSuites,omitempty"`
|
CipherSuites []string `json:"cipherSuites,omitempty"`
|
||||||
ClientAuth ClientAuth `json:"clientAuth,omitempty"`
|
ClientAuth ClientAuth `json:"clientAuth,omitempty"`
|
||||||
SniStrict bool `json:"sniStrict,omitempty"`
|
SniStrict bool `json:"sniStrict,omitempty"`
|
||||||
|
|
|
||||||
|
|
@ -22,6 +22,14 @@ var (
|
||||||
`VersionTLS13`: tls.VersionTLS13,
|
`VersionTLS13`: tls.VersionTLS13,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// MaxVersion Map of allowed TLS minimum versions
|
||||||
|
MaxVersion = map[string]uint16{
|
||||||
|
`VersionTLS10`: tls.VersionTLS10,
|
||||||
|
`VersionTLS11`: tls.VersionTLS11,
|
||||||
|
`VersionTLS12`: tls.VersionTLS12,
|
||||||
|
`VersionTLS13`: tls.VersionTLS13,
|
||||||
|
}
|
||||||
|
|
||||||
// CipherSuites Map of TLS CipherSuites from crypto/tls
|
// CipherSuites Map of TLS CipherSuites from crypto/tls
|
||||||
// Available CipherSuites defined at https://golang.org/pkg/crypto/tls/#pkg-constants
|
// Available CipherSuites defined at https://golang.org/pkg/crypto/tls/#pkg-constants
|
||||||
CipherSuites = map[string]uint16{
|
CipherSuites = map[string]uint16{
|
||||||
|
|
|
||||||
|
|
@ -17,6 +17,7 @@ type ClientAuth struct {
|
||||||
// Options configures TLS for an entry point
|
// Options configures TLS for an entry point
|
||||||
type Options struct {
|
type Options struct {
|
||||||
MinVersion string `json:"minVersion,omitempty" toml:"minVersion,omitempty" yaml:"minVersion,omitempty" export:"true"`
|
MinVersion string `json:"minVersion,omitempty" toml:"minVersion,omitempty" yaml:"minVersion,omitempty" export:"true"`
|
||||||
|
MaxVersion string `json:"maxVersion,omitempty" toml:"maxVersion,omitempty" yaml:"maxVersion,omitempty" export:"true"`
|
||||||
CipherSuites []string `json:"cipherSuites,omitempty" toml:"cipherSuites,omitempty" yaml:"cipherSuites,omitempty"`
|
CipherSuites []string `json:"cipherSuites,omitempty" toml:"cipherSuites,omitempty" yaml:"cipherSuites,omitempty"`
|
||||||
ClientAuth ClientAuth `json:"clientAuth,omitempty" toml:"clientAuth,omitempty" yaml:"clientAuth,omitempty"`
|
ClientAuth ClientAuth `json:"clientAuth,omitempty" toml:"clientAuth,omitempty" yaml:"clientAuth,omitempty"`
|
||||||
SniStrict bool `json:"sniStrict,omitempty" toml:"sniStrict,omitempty" yaml:"sniStrict,omitempty" export:"true"`
|
SniStrict bool `json:"sniStrict,omitempty" toml:"sniStrict,omitempty" yaml:"sniStrict,omitempty" export:"true"`
|
||||||
|
|
|
||||||
|
|
@ -217,6 +217,12 @@ func buildTLSConfig(tlsOption Options) (*tls.Config, error) {
|
||||||
conf.MinVersion = minConst
|
conf.MinVersion = minConst
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Set the maximum TLS version if set in the config TOML
|
||||||
|
if maxConst, exists := MaxVersion[tlsOption.MaxVersion]; exists {
|
||||||
|
conf.PreferServerCipherSuites = true
|
||||||
|
conf.MaxVersion = maxConst
|
||||||
|
}
|
||||||
|
|
||||||
// Set the list of CipherSuites if set in the config TOML
|
// Set the list of CipherSuites if set in the config TOML
|
||||||
if tlsOption.CipherSuites != nil {
|
if tlsOption.CipherSuites != nil {
|
||||||
// if our list of CipherSuites is defined in the entryPoint config, we can re-initialize the suites list as empty
|
// if our list of CipherSuites is defined in the entryPoint config, we can re-initialize the suites list as empty
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue