Allow PreferServerCipherSuites as a TLS Option

This commit is contained in:
Daniel Tomcej 2020-02-12 11:06:04 -06:00 committed by GitHub
parent 94b2b6393f
commit 7c430e5c9d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
13 changed files with 112 additions and 16 deletions

View file

@ -347,6 +347,39 @@ spec:
sniStrict: true sniStrict: true
``` ```
### Prefer Server Cipher Suites
This option allows the server to choose its most preferred cipher suite instead of the client's.
Please note that this is enabled automatically when `minVersion` or `maxVersion` are set.
```toml tab="File (TOML)"
# Dynamic configuration
[tls.options]
[tls.options.default]
preferServerCipherSuites = true
```
```yaml tab="File (YAML)"
# Dynamic configuration
tls:
options:
default:
preferServerCipherSuites: true
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
name: default
namespace: default
spec:
preferServerCipherSuites: true
```
### Client Authentication (mTLS) ### Client Authentication (mTLS)
Traefik supports mutual authentication, through the `clientAuth` section. Traefik supports mutual authentication, through the `clientAuth` section.

View file

@ -357,6 +357,7 @@
cipherSuites = ["foobar", "foobar"] cipherSuites = ["foobar", "foobar"]
curvePreferences = ["foobar", "foobar"] curvePreferences = ["foobar", "foobar"]
sniStrict = true sniStrict = true
preferServerCipherSuites = true
[tls.options.Options0.clientAuth] [tls.options.Options0.clientAuth]
caFiles = ["foobar", "foobar"] caFiles = ["foobar", "foobar"]
clientAuthType = "foobar" clientAuthType = "foobar"
@ -366,6 +367,7 @@
cipherSuites = ["foobar", "foobar"] cipherSuites = ["foobar", "foobar"]
curvePreferences = ["foobar", "foobar"] curvePreferences = ["foobar", "foobar"]
sniStrict = true sniStrict = true
preferServerCipherSuites = true
[tls.options.Options1.clientAuth] [tls.options.Options1.clientAuth]
caFiles = ["foobar", "foobar"] caFiles = ["foobar", "foobar"]
clientAuthType = "foobar" clientAuthType = "foobar"

View file

@ -397,6 +397,7 @@ tls:
- foobar - foobar
clientAuthType: foobar clientAuthType: foobar
sniStrict: true sniStrict: true
preferServerCipherSuites: true
Options1: Options1:
minVersion: foobar minVersion: foobar
maxVersion: foobar maxVersion: foobar
@ -412,6 +413,7 @@ tls:
- foobar - foobar
clientAuthType: foobar clientAuthType: foobar
sniStrict: true sniStrict: true
preferServerCipherSuites: true
stores: stores:
Store0: Store0:
defaultCertificate: defaultCertificate:

View file

@ -155,3 +155,27 @@ spec:
options: options:
name: myTLSOption name: myTLSOption
namespace: default namespace: default
---
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
name: tlsoption
namespace: default
spec:
minVersion: foobar
maxVersion: foobar
cipherSuites:
- foobar
- foobar
curvePreferences:
- foobar
- foobar
clientAuth:
caFiles:
- foobar
- foobar
clientAuthType: foobar
sniStrict: true
preferServerCipherSuites: true

View file

@ -230,3 +230,27 @@ spec:
options: options:
name: myTLSOption name: myTLSOption
namespace: default namespace: default
---
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
name: tlsoption
namespace: default
spec:
minVersion: foobar
maxVersion: foobar
cipherSuites:
- foobar
- foobar
curvePreferences:
- foobar
- foobar
clientAuth:
caFiles:
- foobar
- foobar
clientAuthType: foobar
sniStrict: true
preferServerCipherSuites: true

View file

@ -233,6 +233,7 @@
| `traefik/tls/options/Options0/curvePreferences/1` | `foobar` | | `traefik/tls/options/Options0/curvePreferences/1` | `foobar` |
| `traefik/tls/options/Options0/maxVersion` | `foobar` | | `traefik/tls/options/Options0/maxVersion` | `foobar` |
| `traefik/tls/options/Options0/minVersion` | `foobar` | | `traefik/tls/options/Options0/minVersion` | `foobar` |
| `traefik/tls/options/Options0/preferServerCipherSuites` | `true` |
| `traefik/tls/options/Options0/sniStrict` | `true` | | `traefik/tls/options/Options0/sniStrict` | `true` |
| `traefik/tls/options/Options1/cipherSuites/0` | `foobar` | | `traefik/tls/options/Options1/cipherSuites/0` | `foobar` |
| `traefik/tls/options/Options1/cipherSuites/1` | `foobar` | | `traefik/tls/options/Options1/cipherSuites/1` | `foobar` |
@ -243,6 +244,7 @@
| `traefik/tls/options/Options1/curvePreferences/1` | `foobar` | | `traefik/tls/options/Options1/curvePreferences/1` | `foobar` |
| `traefik/tls/options/Options1/maxVersion` | `foobar` | | `traefik/tls/options/Options1/maxVersion` | `foobar` |
| `traefik/tls/options/Options1/minVersion` | `foobar` | | `traefik/tls/options/Options1/minVersion` | `foobar` |
| `traefik/tls/options/Options1/preferServerCipherSuites` | `true` |
| `traefik/tls/options/Options1/sniStrict` | `true` | | `traefik/tls/options/Options1/sniStrict` | `true` |
| `traefik/tls/stores/Store0/defaultCertificate/certFile` | `foobar` | | `traefik/tls/stores/Store0/defaultCertificate/certFile` | `foobar` |
| `traefik/tls/stores/Store0/defaultCertificate/keyFile` | `foobar` | | `traefik/tls/stores/Store0/defaultCertificate/keyFile` | `foobar` |

View file

@ -35,7 +35,7 @@ spec:
- secretCA1 - secretCA1
- secretCA2 - secretCA2
clientAuthType: VerifyClientCertIfGiven clientAuthType: VerifyClientCertIfGiven
preferServerCipherSuites: true
--- ---
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret

View file

@ -35,6 +35,7 @@ spec:
- secretCA1 - secretCA1
- secretCA2 - secretCA2
clientAuthType: VerifyClientCertIfGiven clientAuthType: VerifyClientCertIfGiven
preferServerCipherSuites: true
--- ---
apiVersion: traefik.containo.us/v1alpha1 apiVersion: traefik.containo.us/v1alpha1

View file

@ -502,6 +502,7 @@ func buildTLSOptions(ctx context.Context, client Client) map[string]tls.Options
ClientAuthType: tlsOption.Spec.ClientAuth.ClientAuthType, ClientAuthType: tlsOption.Spec.ClientAuth.ClientAuthType,
}, },
SniStrict: tlsOption.Spec.SniStrict, SniStrict: tlsOption.Spec.SniStrict,
PreferServerCipherSuites: tlsOption.Spec.PreferServerCipherSuites,
} }
} }
return tlsOptions return tlsOptions

View file

@ -424,6 +424,7 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
ClientAuthType: "VerifyClientCertIfGiven", ClientAuthType: "VerifyClientCertIfGiven",
}, },
SniStrict: true, SniStrict: true,
PreferServerCipherSuites: true,
}, },
}, },
}, },
@ -1897,6 +1898,7 @@ func TestLoadIngressRoutes(t *testing.T) {
ClientAuthType: "VerifyClientCertIfGiven", ClientAuthType: "VerifyClientCertIfGiven",
}, },
SniStrict: true, SniStrict: true,
PreferServerCipherSuites: true,
}, },
}, },
}, },

View file

@ -25,6 +25,7 @@ type TLSOptionSpec struct {
CurvePreferences []string `json:"curvePreferences,omitempty"` CurvePreferences []string `json:"curvePreferences,omitempty"`
ClientAuth ClientAuth `json:"clientAuth,omitempty"` ClientAuth ClientAuth `json:"clientAuth,omitempty"`
SniStrict bool `json:"sniStrict,omitempty"` SniStrict bool `json:"sniStrict,omitempty"`
PreferServerCipherSuites bool `json:"preferServerCipherSuites,omitempty"`
} }
// +k8s:deepcopy-gen=true // +k8s:deepcopy-gen=true

View file

@ -22,6 +22,7 @@ type Options struct {
CurvePreferences []string `json:"curvePreferences,omitempty" toml:"curvePreferences,omitempty" yaml:"curvePreferences,omitempty"` CurvePreferences []string `json:"curvePreferences,omitempty" toml:"curvePreferences,omitempty" yaml:"curvePreferences,omitempty"`
ClientAuth ClientAuth `json:"clientAuth,omitempty" toml:"clientAuth,omitempty" yaml:"clientAuth,omitempty"` ClientAuth ClientAuth `json:"clientAuth,omitempty" toml:"clientAuth,omitempty" yaml:"clientAuth,omitempty"`
SniStrict bool `json:"sniStrict,omitempty" toml:"sniStrict,omitempty" yaml:"sniStrict,omitempty" export:"true"` SniStrict bool `json:"sniStrict,omitempty" toml:"sniStrict,omitempty" yaml:"sniStrict,omitempty" export:"true"`
PreferServerCipherSuites bool `json:"preferServerCipherSuites,omitempty" toml:"preferServerCipherSuites,omitempty" yaml:"preferServerCipherSuites,omitempty" export:"true"`
} }
// +k8s:deepcopy-gen=true // +k8s:deepcopy-gen=true

View file

@ -219,6 +219,9 @@ func buildTLSConfig(tlsOption Options) (*tls.Config, error) {
} }
} }
// Set PreferServerCipherSuites.
conf.PreferServerCipherSuites = tlsOption.PreferServerCipherSuites
// Set the minimum TLS version if set in the config // Set the minimum TLS version if set in the config
if minConst, exists := MinVersion[tlsOption.MinVersion]; exists { if minConst, exists := MinVersion[tlsOption.MinVersion]; exists {
conf.PreferServerCipherSuites = true conf.PreferServerCipherSuites = true