Allow PreferServerCipherSuites as a TLS Option

2020-02-12 11:06:04 -06:00 · 2020-02-12 11:06:04 -06:00 · 7c430e5c9d
commit 7c430e5c9d
parent 94b2b6393f
13 changed files with 112 additions and 16 deletions
--- a/docs/content/https/tls.md
+++ b/docs/content/https/tls.md
@ -347,6 +347,39 @@ spec:
  sniStrict: true
 ```
 ### Prefer Server Cipher Suites
 This option allows the server to choose its most preferred cipher suite instead of the client's.
 Please note that this is enabled automatically when `minVersion` or `maxVersion` are set.
 ```toml tab="File (TOML)"
 # Dynamic configuration
 [tls.options]
  [tls.options.default]
    preferServerCipherSuites = true
 ```
 ```yaml tab="File (YAML)"
 # Dynamic configuration
 tls:
  options:
    default:
      preferServerCipherSuites: true
 ```
 ```yaml tab="Kubernetes"
 apiVersion: traefik.containo.us/v1alpha1
 kind: TLSOption
 metadata:
  name: default
  namespace: default
 spec:
  preferServerCipherSuites: true
 ```
 ### Client Authentication (mTLS)
 Traefik supports mutual authentication, through the `clientAuth` section.
--- a/docs/content/reference/dynamic-configuration/file.toml
+++ b/docs/content/reference/dynamic-configuration/file.toml
@ -357,6 +357,7 @@
      cipherSuites = ["foobar", "foobar"]
      curvePreferences = ["foobar", "foobar"]
      sniStrict = true
      preferServerCipherSuites = true
      [tls.options.Options0.clientAuth]
        caFiles = ["foobar", "foobar"]
        clientAuthType = "foobar"
@ -366,6 +367,7 @@
      cipherSuites = ["foobar", "foobar"]
      curvePreferences = ["foobar", "foobar"]
      sniStrict = true
      preferServerCipherSuites = true
      [tls.options.Options1.clientAuth]
        caFiles = ["foobar", "foobar"]
        clientAuthType = "foobar"
--- a/docs/content/reference/dynamic-configuration/file.yaml
+++ b/docs/content/reference/dynamic-configuration/file.yaml
@ -397,6 +397,7 @@ tls:
        - foobar
        clientAuthType: foobar
      sniStrict: true
      preferServerCipherSuites: true
    Options1:
      minVersion: foobar
      maxVersion: foobar
@ -412,6 +413,7 @@ tls:
        - foobar
        clientAuthType: foobar
      sniStrict: true
      preferServerCipherSuites: true
  stores:
    Store0:
      defaultCertificate:
--- a/docs/content/reference/dynamic-configuration/kubernetes-crd-resource.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-crd-resource.yml
@ -155,3 +155,27 @@ spec:
    options:
      name: myTLSOption
      namespace: default
 ---
 apiVersion: traefik.containo.us/v1alpha1
 kind: TLSOption
 metadata:
  name: tlsoption
  namespace: default
 spec:
  minVersion: foobar
  maxVersion: foobar
  cipherSuites:
    - foobar
    - foobar
  curvePreferences:
    - foobar
    - foobar
  clientAuth:
    caFiles:
      - foobar
      - foobar
    clientAuthType: foobar
  sniStrict: true
  preferServerCipherSuites: true
--- a/docs/content/reference/dynamic-configuration/kubernetes-crd.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-crd.yml
@ -230,3 +230,27 @@ spec:
    options:
      name: myTLSOption
      namespace: default
 ---
 apiVersion: traefik.containo.us/v1alpha1
 kind: TLSOption
 metadata:
  name: tlsoption
  namespace: default
 spec:
  minVersion: foobar
  maxVersion: foobar
  cipherSuites:
    - foobar
    - foobar
  curvePreferences:
    - foobar
    - foobar
  clientAuth:
    caFiles:
      - foobar
      - foobar
    clientAuthType: foobar
  sniStrict: true
  preferServerCipherSuites: true
--- a/docs/content/reference/dynamic-configuration/kv-ref.md
+++ b/docs/content/reference/dynamic-configuration/kv-ref.md
@ -233,6 +233,7 @@
 | `traefik/tls/options/Options0/curvePreferences/1` | `foobar` |
 | `traefik/tls/options/Options0/maxVersion` | `foobar` |
 | `traefik/tls/options/Options0/minVersion` | `foobar` |
 | `traefik/tls/options/Options0/preferServerCipherSuites` | `true` |
 | `traefik/tls/options/Options0/sniStrict` | `true` |
 | `traefik/tls/options/Options1/cipherSuites/0` | `foobar` |
 | `traefik/tls/options/Options1/cipherSuites/1` | `foobar` |
@ -243,6 +244,7 @@
 | `traefik/tls/options/Options1/curvePreferences/1` | `foobar` |
 | `traefik/tls/options/Options1/maxVersion` | `foobar` |
 | `traefik/tls/options/Options1/minVersion` | `foobar` |
 | `traefik/tls/options/Options1/preferServerCipherSuites` | `true` |
 | `traefik/tls/options/Options1/sniStrict` | `true` |
 | `traefik/tls/stores/Store0/defaultCertificate/certFile` | `foobar` |
 | `traefik/tls/stores/Store0/defaultCertificate/keyFile` | `foobar` |
--- a/pkg/provider/kubernetes/crd/fixtures/tcp/with_tls_options.yml
+++ b/pkg/provider/kubernetes/crd/fixtures/tcp/with_tls_options.yml
@ -35,7 +35,7 @@ spec:
      - secretCA1
      - secretCA2
    clientAuthType: VerifyClientCertIfGiven
-
+  preferServerCipherSuites: true
 ---
 apiVersion: v1
 kind: Secret
--- a/pkg/provider/kubernetes/crd/fixtures/with_tls_options.yml
+++ b/pkg/provider/kubernetes/crd/fixtures/with_tls_options.yml
@ -35,6 +35,7 @@ spec:
      - secretCA1
      - secretCA2
    clientAuthType: VerifyClientCertIfGiven
  preferServerCipherSuites: true
 ---
 apiVersion: traefik.containo.us/v1alpha1
--- a/pkg/provider/kubernetes/crd/kubernetes.go
+++ b/pkg/provider/kubernetes/crd/kubernetes.go
@ -501,7 +501,8 @@ func buildTLSOptions(ctx context.Context, client Client) map[string]tls.Options
 				CAFiles:        clientCAs,
 				ClientAuthType: tlsOption.Spec.ClientAuth.ClientAuthType,
 			},
-			SniStrict: tlsOption.Spec.SniStrict,
+			SniStrict:                tlsOption.Spec.SniStrict,
 			PreferServerCipherSuites: tlsOption.Spec.PreferServerCipherSuites,
 		}
 	}
 	return tlsOptions
--- a/pkg/provider/kubernetes/crd/kubernetes_test.go
+++ b/pkg/provider/kubernetes/crd/kubernetes_test.go
@ -423,7 +423,8 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
 								},
 								ClientAuthType: "VerifyClientCertIfGiven",
 							},
-							SniStrict: true,
+							SniStrict:                true,
 							PreferServerCipherSuites: true,
 						},
 					},
 				},
@ -1896,7 +1897,8 @@ func TestLoadIngressRoutes(t *testing.T) {
 								},
 								ClientAuthType: "VerifyClientCertIfGiven",
 							},
-							SniStrict: true,
+							SniStrict:                true,
 							PreferServerCipherSuites: true,
 						},
 					},
 				},
--- a/pkg/provider/kubernetes/crd/traefik/v1alpha1/tlsoption.go
+++ b/pkg/provider/kubernetes/crd/traefik/v1alpha1/tlsoption.go
@ -19,12 +19,13 @@ type TLSOption struct {
 // TLSOptionSpec configures TLS for an entry point
 type TLSOptionSpec struct {
-	MinVersion       string     `json:"minVersion,omitempty"`
+	MinVersion               string     `json:"minVersion,omitempty"`
-	MaxVersion       string     `json:"maxVersion,omitempty"`
+	MaxVersion               string     `json:"maxVersion,omitempty"`
-	CipherSuites     []string   `json:"cipherSuites,omitempty"`
+	CipherSuites             []string   `json:"cipherSuites,omitempty"`
-	CurvePreferences []string   `json:"curvePreferences,omitempty"`
+	CurvePreferences         []string   `json:"curvePreferences,omitempty"`
-	ClientAuth       ClientAuth `json:"clientAuth,omitempty"`
+	ClientAuth               ClientAuth `json:"clientAuth,omitempty"`
-	SniStrict        bool       `json:"sniStrict,omitempty"`
+	SniStrict                bool       `json:"sniStrict,omitempty"`
 	PreferServerCipherSuites bool       `json:"preferServerCipherSuites,omitempty"`
 }
 // +k8s:deepcopy-gen=true
--- a/pkg/tls/tls.go
+++ b/pkg/tls/tls.go
@ -16,12 +16,13 @@ type ClientAuth struct {
 // Options configures TLS for an entry point
 type Options struct {
-	MinVersion       string     `json:"minVersion,omitempty" toml:"minVersion,omitempty" yaml:"minVersion,omitempty" export:"true"`
+	MinVersion               string     `json:"minVersion,omitempty" toml:"minVersion,omitempty" yaml:"minVersion,omitempty" export:"true"`
-	MaxVersion       string     `json:"maxVersion,omitempty" toml:"maxVersion,omitempty" yaml:"maxVersion,omitempty" export:"true"`
+	MaxVersion               string     `json:"maxVersion,omitempty" toml:"maxVersion,omitempty" yaml:"maxVersion,omitempty" export:"true"`
-	CipherSuites     []string   `json:"cipherSuites,omitempty" toml:"cipherSuites,omitempty" yaml:"cipherSuites,omitempty"`
+	CipherSuites             []string   `json:"cipherSuites,omitempty" toml:"cipherSuites,omitempty" yaml:"cipherSuites,omitempty"`
-	CurvePreferences []string   `json:"curvePreferences,omitempty" toml:"curvePreferences,omitempty" yaml:"curvePreferences,omitempty"`
+	CurvePreferences         []string   `json:"curvePreferences,omitempty" toml:"curvePreferences,omitempty" yaml:"curvePreferences,omitempty"`
-	ClientAuth       ClientAuth `json:"clientAuth,omitempty" toml:"clientAuth,omitempty" yaml:"clientAuth,omitempty"`
+	ClientAuth               ClientAuth `json:"clientAuth,omitempty" toml:"clientAuth,omitempty" yaml:"clientAuth,omitempty"`
-	SniStrict        bool       `json:"sniStrict,omitempty" toml:"sniStrict,omitempty" yaml:"sniStrict,omitempty" export:"true"`
+	SniStrict                bool       `json:"sniStrict,omitempty" toml:"sniStrict,omitempty" yaml:"sniStrict,omitempty" export:"true"`
 	PreferServerCipherSuites bool       `json:"preferServerCipherSuites,omitempty" toml:"preferServerCipherSuites,omitempty" yaml:"preferServerCipherSuites,omitempty" export:"true"`
 }
 // +k8s:deepcopy-gen=true
--- a/pkg/tls/tlsmanager.go
+++ b/pkg/tls/tlsmanager.go
@ -219,6 +219,9 @@ func buildTLSConfig(tlsOption Options) (*tls.Config, error) {
 		}
 	}
 	// Set PreferServerCipherSuites.
 	conf.PreferServerCipherSuites = tlsOption.PreferServerCipherSuites
 	// Set the minimum TLS version if set in the config
 	if minConst, exists := MinVersion[tlsOption.MinVersion]; exists {
 		conf.PreferServerCipherSuites = true