From ad6bf936d52cfc938b4a6b9aef7b451c924e810e Mon Sep 17 00:00:00 2001 From: Traefiker Bot <30906710+traefiker@users.noreply.github.com> Date: Thu, 5 Mar 2020 13:30:05 +0100 Subject: [PATCH] Add metrics about TLS --- pkg/metrics/metrics.go | 22 +++++++++ pkg/metrics/prometheus.go | 22 +++++++-- pkg/middlewares/metrics/metrics.go | 37 ++++++++++++++++ pkg/tls/certificate.go | 33 -------------- pkg/tls/cipher.go | 71 ++++++++++++++++++++++++++++++ pkg/tls/cipher_test.go | 30 +++++++++++++ 6 files changed, 178 insertions(+), 37 deletions(-) create mode 100644 pkg/tls/cipher.go create mode 100644 pkg/tls/cipher_test.go diff --git a/pkg/metrics/metrics.go b/pkg/metrics/metrics.go index 8cdb1eae9..3f9981c8f 100644 --- a/pkg/metrics/metrics.go +++ b/pkg/metrics/metrics.go @@ -20,11 +20,13 @@ type Registry interface { // entry point metrics EntryPointReqsCounter() metrics.Counter + EntryPointReqsTLSCounter() metrics.Counter EntryPointReqDurationHistogram() metrics.Histogram EntryPointOpenConnsGauge() metrics.Gauge // service metrics ServiceReqsCounter() metrics.Counter + ServiceReqsTLSCounter() metrics.Counter ServiceReqDurationHistogram() metrics.Histogram ServiceOpenConnsGauge() metrics.Gauge ServiceRetriesCounter() metrics.Counter @@ -46,9 +48,11 @@ func NewMultiRegistry(registries []Registry) Registry { var lastConfigReloadSuccessGauge []metrics.Gauge var lastConfigReloadFailureGauge []metrics.Gauge var entryPointReqsCounter []metrics.Counter + var entryPointReqsTLSCounter []metrics.Counter var entryPointReqDurationHistogram []metrics.Histogram var entryPointOpenConnsGauge []metrics.Gauge var serviceReqsCounter []metrics.Counter + var serviceReqsTLSCounter []metrics.Counter var serviceReqDurationHistogram []metrics.Histogram var serviceOpenConnsGauge []metrics.Gauge var serviceRetriesCounter []metrics.Counter @@ -70,6 +74,9 @@ func NewMultiRegistry(registries []Registry) Registry { if r.EntryPointReqsCounter() != nil { entryPointReqsCounter = append(entryPointReqsCounter, r.EntryPointReqsCounter()) } + if r.EntryPointReqsTLSCounter() != nil { + entryPointReqsTLSCounter = append(entryPointReqsTLSCounter, r.EntryPointReqsTLSCounter()) + } if r.EntryPointReqDurationHistogram() != nil { entryPointReqDurationHistogram = append(entryPointReqDurationHistogram, r.EntryPointReqDurationHistogram()) } @@ -79,6 +86,9 @@ func NewMultiRegistry(registries []Registry) Registry { if r.ServiceReqsCounter() != nil { serviceReqsCounter = append(serviceReqsCounter, r.ServiceReqsCounter()) } + if r.ServiceReqsTLSCounter() != nil { + serviceReqsTLSCounter = append(serviceReqsTLSCounter, r.ServiceReqsTLSCounter()) + } if r.ServiceReqDurationHistogram() != nil { serviceReqDurationHistogram = append(serviceReqDurationHistogram, r.ServiceReqDurationHistogram()) } @@ -101,9 +111,11 @@ func NewMultiRegistry(registries []Registry) Registry { lastConfigReloadSuccessGauge: multi.NewGauge(lastConfigReloadSuccessGauge...), lastConfigReloadFailureGauge: multi.NewGauge(lastConfigReloadFailureGauge...), entryPointReqsCounter: multi.NewCounter(entryPointReqsCounter...), + entryPointReqsTLSCounter: multi.NewCounter(entryPointReqsTLSCounter...), entryPointReqDurationHistogram: multi.NewHistogram(entryPointReqDurationHistogram...), entryPointOpenConnsGauge: multi.NewGauge(entryPointOpenConnsGauge...), serviceReqsCounter: multi.NewCounter(serviceReqsCounter...), + serviceReqsTLSCounter: multi.NewCounter(serviceReqsTLSCounter...), serviceReqDurationHistogram: multi.NewHistogram(serviceReqDurationHistogram...), serviceOpenConnsGauge: multi.NewGauge(serviceOpenConnsGauge...), serviceRetriesCounter: multi.NewCounter(serviceRetriesCounter...), @@ -119,9 +131,11 @@ type standardRegistry struct { lastConfigReloadSuccessGauge metrics.Gauge lastConfigReloadFailureGauge metrics.Gauge entryPointReqsCounter metrics.Counter + entryPointReqsTLSCounter metrics.Counter entryPointReqDurationHistogram metrics.Histogram entryPointOpenConnsGauge metrics.Gauge serviceReqsCounter metrics.Counter + serviceReqsTLSCounter metrics.Counter serviceReqDurationHistogram metrics.Histogram serviceOpenConnsGauge metrics.Gauge serviceRetriesCounter metrics.Counter @@ -156,6 +170,10 @@ func (r *standardRegistry) EntryPointReqsCounter() metrics.Counter { return r.entryPointReqsCounter } +func (r *standardRegistry) EntryPointReqsTLSCounter() metrics.Counter { + return r.entryPointReqsTLSCounter +} + func (r *standardRegistry) EntryPointReqDurationHistogram() metrics.Histogram { return r.entryPointReqDurationHistogram } @@ -168,6 +186,10 @@ func (r *standardRegistry) ServiceReqsCounter() metrics.Counter { return r.serviceReqsCounter } +func (r *standardRegistry) ServiceReqsTLSCounter() metrics.Counter { + return r.serviceReqsTLSCounter +} + func (r *standardRegistry) ServiceReqDurationHistogram() metrics.Histogram { return r.serviceReqDurationHistogram } diff --git a/pkg/metrics/prometheus.go b/pkg/metrics/prometheus.go index 6003da55b..0aeaad102 100644 --- a/pkg/metrics/prometheus.go +++ b/pkg/metrics/prometheus.go @@ -28,16 +28,18 @@ const ( configLastReloadFailureName = metricConfigPrefix + "last_reload_failure" // entry point - metricEntryPointPrefix = MetricNamePrefix + "entrypoint_" - entryPointReqsTotalName = metricEntryPointPrefix + "requests_total" - entryPointReqDurationName = metricEntryPointPrefix + "request_duration_seconds" - entryPointOpenConnsName = metricEntryPointPrefix + "open_connections" + metricEntryPointPrefix = MetricNamePrefix + "entrypoint_" + entryPointReqsTotalName = metricEntryPointPrefix + "requests_total" + entryPointReqsTLSTotalName = metricEntryPointPrefix + "requests_tls_total" + entryPointReqDurationName = metricEntryPointPrefix + "request_duration_seconds" + entryPointOpenConnsName = metricEntryPointPrefix + "open_connections" // service level. // MetricServicePrefix prefix of all service metric names MetricServicePrefix = MetricNamePrefix + "service_" serviceReqsTotalName = MetricServicePrefix + "requests_total" + serviceReqsTLSTotalName = MetricServicePrefix + "requests_tls_total" serviceReqDurationName = MetricServicePrefix + "request_duration_seconds" serviceOpenConnsName = MetricServicePrefix + "open_connections" serviceRetriesTotalName = MetricServicePrefix + "retries_total" @@ -136,6 +138,10 @@ func initStandardRegistry(config *types.Prometheus) Registry { Name: entryPointReqsTotalName, Help: "How many HTTP requests processed on an entrypoint, partitioned by status code, protocol, and method.", }, []string{"code", "method", "protocol", "entrypoint"}) + entryPointReqsTLS := newCounterFrom(promState.collectors, stdprometheus.CounterOpts{ + Name: entryPointReqsTLSTotalName, + Help: "How many HTTP requests with TLS processed on an entrypoint, partitioned by TLS Version and TLS cipher Used.", + }, []string{"tls_version", "tls_cipher", "entrypoint"}) entryPointReqDurations := newHistogramFrom(promState.collectors, stdprometheus.HistogramOpts{ Name: entryPointReqDurationName, Help: "How long it took to process the request on an entrypoint, partitioned by status code, protocol, and method.", @@ -148,10 +154,12 @@ func initStandardRegistry(config *types.Prometheus) Registry { promState.describers = append(promState.describers, []func(chan<- *stdprometheus.Desc){ entryPointReqs.cv.Describe, + entryPointReqsTLS.cv.Describe, entryPointReqDurations.hv.Describe, entryPointOpenConns.gv.Describe, }...) reg.entryPointReqsCounter = entryPointReqs + reg.entryPointReqsTLSCounter = entryPointReqsTLS reg.entryPointReqDurationHistogram = entryPointReqDurations reg.entryPointOpenConnsGauge = entryPointOpenConns } @@ -160,6 +168,10 @@ func initStandardRegistry(config *types.Prometheus) Registry { Name: serviceReqsTotalName, Help: "How many HTTP requests processed on a service, partitioned by status code, protocol, and method.", }, []string{"code", "method", "protocol", "service"}) + serviceReqsTLS := newCounterFrom(promState.collectors, stdprometheus.CounterOpts{ + Name: serviceReqsTLSTotalName, + Help: "How many HTTP requests with TLS processed on a service, partitioned by TLS version and TLS cipher.", + }, []string{"tls_version", "tls_cipher", "service"}) serviceReqDurations := newHistogramFrom(promState.collectors, stdprometheus.HistogramOpts{ Name: serviceReqDurationName, Help: "How long it took to process the request on a service, partitioned by status code, protocol, and method.", @@ -180,6 +192,7 @@ func initStandardRegistry(config *types.Prometheus) Registry { promState.describers = append(promState.describers, []func(chan<- *stdprometheus.Desc){ serviceReqs.cv.Describe, + serviceReqsTLS.cv.Describe, serviceReqDurations.hv.Describe, serviceOpenConns.gv.Describe, serviceRetries.cv.Describe, @@ -187,6 +200,7 @@ func initStandardRegistry(config *types.Prometheus) Registry { }...) reg.serviceReqsCounter = serviceReqs + reg.serviceReqsTLSCounter = serviceReqsTLS reg.serviceReqDurationHistogram = serviceReqDurations reg.serviceOpenConnsGauge = serviceOpenConns reg.serviceRetriesCounter = serviceRetries diff --git a/pkg/middlewares/metrics/metrics.go b/pkg/middlewares/metrics/metrics.go index 6006119c8..aa0e39e85 100644 --- a/pkg/middlewares/metrics/metrics.go +++ b/pkg/middlewares/metrics/metrics.go @@ -2,6 +2,7 @@ package metrics import ( "context" + "crypto/tls" "net/http" "strconv" "strings" @@ -13,6 +14,7 @@ import ( "github.com/containous/traefik/v2/pkg/metrics" "github.com/containous/traefik/v2/pkg/middlewares" "github.com/containous/traefik/v2/pkg/middlewares/retry" + traefiktls "github.com/containous/traefik/v2/pkg/tls" gokitmetrics "github.com/go-kit/kit/metrics" ) @@ -28,6 +30,7 @@ const ( type metricsMiddleware struct { next http.Handler reqsCounter gokitmetrics.Counter + reqsTLSCounter gokitmetrics.Counter reqDurationHistogram gokitmetrics.Histogram openConnsGauge gokitmetrics.Gauge baseLabels []string @@ -40,6 +43,7 @@ func NewEntryPointMiddleware(ctx context.Context, next http.Handler, registry me return &metricsMiddleware{ next: next, reqsCounter: registry.EntryPointReqsCounter(), + reqsTLSCounter: registry.EntryPointReqsTLSCounter(), reqDurationHistogram: registry.EntryPointReqDurationHistogram(), openConnsGauge: registry.EntryPointOpenConnsGauge(), baseLabels: []string{"entrypoint", entryPointName}, @@ -53,6 +57,7 @@ func NewServiceMiddleware(ctx context.Context, next http.Handler, registry metri return &metricsMiddleware{ next: next, reqsCounter: registry.ServiceReqsCounter(), + reqsTLSCounter: registry.ServiceReqsTLSCounter(), reqDurationHistogram: registry.ServiceReqDurationHistogram(), openConnsGauge: registry.ServiceOpenConnsGauge(), baseLabels: []string{"service", serviceName}, @@ -81,6 +86,15 @@ func (m *metricsMiddleware) ServeHTTP(rw http.ResponseWriter, req *http.Request) m.openConnsGauge.With(labels...).Add(1) defer m.openConnsGauge.With(labels...).Add(-1) + // TLS metrics + if req.TLS != nil { + var tlsLabels []string + tlsLabels = append(tlsLabels, m.baseLabels...) + tlsLabels = append(tlsLabels, "tls_version", getRequestTLSVersion(req), "tls_cipher", getRequestTLSCipher(req)) + + m.reqsTLSCounter.With(tlsLabels...).Add(1) + } + recorder := newResponseRecorder(rw) start := time.Now() m.next.ServeHTTP(recorder, req) @@ -131,6 +145,29 @@ func getMethod(r *http.Request) string { return r.Method } +func getRequestTLSVersion(req *http.Request) string { + switch req.TLS.Version { + case tls.VersionTLS10: + return "1.0" + case tls.VersionTLS11: + return "1.1" + case tls.VersionTLS12: + return "1.2" + case tls.VersionTLS13: + return "1.3" + default: + return "unknown" + } +} + +func getRequestTLSCipher(req *http.Request) string { + if version, ok := traefiktls.CipherSuitesReversed[req.TLS.CipherSuite]; ok { + return version + } + + return "unknown" +} + type retryMetrics interface { ServiceRetriesCounter() gokitmetrics.Counter } diff --git a/pkg/tls/certificate.go b/pkg/tls/certificate.go index c4accff68..041c98b3e 100644 --- a/pkg/tls/certificate.go +++ b/pkg/tls/certificate.go @@ -30,39 +30,6 @@ var ( `VersionTLS13`: tls.VersionTLS13, } - // CipherSuites Map of TLS CipherSuites from crypto/tls - // Available CipherSuites defined at https://golang.org/pkg/crypto/tls/#pkg-constants - CipherSuites = map[string]uint16{ - `TLS_RSA_WITH_RC4_128_SHA`: tls.TLS_RSA_WITH_RC4_128_SHA, - `TLS_RSA_WITH_3DES_EDE_CBC_SHA`: tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA, - `TLS_RSA_WITH_AES_128_CBC_SHA`: tls.TLS_RSA_WITH_AES_128_CBC_SHA, - `TLS_RSA_WITH_AES_256_CBC_SHA`: tls.TLS_RSA_WITH_AES_256_CBC_SHA, - `TLS_RSA_WITH_AES_128_CBC_SHA256`: tls.TLS_RSA_WITH_AES_128_CBC_SHA256, - `TLS_RSA_WITH_AES_128_GCM_SHA256`: tls.TLS_RSA_WITH_AES_128_GCM_SHA256, - `TLS_RSA_WITH_AES_256_GCM_SHA384`: tls.TLS_RSA_WITH_AES_256_GCM_SHA384, - `TLS_ECDHE_ECDSA_WITH_RC4_128_SHA`: tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, - `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`: tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, - `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`: tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, - `TLS_ECDHE_RSA_WITH_RC4_128_SHA`: tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA, - `TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA`: tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, - `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`: tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, - `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`: tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, - `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`: tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, - `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`: tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, - `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`: tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`: tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`: tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`: tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305`: tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, - `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256`: tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, - `TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305`: tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, - `TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256`: tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, - "TLS_AES_128_GCM_SHA256": tls.TLS_AES_128_GCM_SHA256, - "TLS_AES_256_GCM_SHA384": tls.TLS_AES_256_GCM_SHA384, - "TLS_CHACHA20_POLY1305_SHA256": tls.TLS_CHACHA20_POLY1305_SHA256, - "TLS_FALLBACK_SCSV": tls.TLS_FALLBACK_SCSV, - } - // CurveIDs is a Map of TLS elliptic curves from crypto/tls // Available CurveIDs defined at https://godoc.org/crypto/tls#CurveID, // also allowing rfc names defined at https://tools.ietf.org/html/rfc8446#section-4.2.7 diff --git a/pkg/tls/cipher.go b/pkg/tls/cipher.go new file mode 100644 index 000000000..07cbfd7d6 --- /dev/null +++ b/pkg/tls/cipher.go @@ -0,0 +1,71 @@ +package tls + +import ( + "crypto/tls" +) + +var ( + // CipherSuites Map of TLS CipherSuites from crypto/tls + // Available CipherSuites defined at https://golang.org/pkg/crypto/tls/#pkg-constants + CipherSuites = map[string]uint16{ + `TLS_RSA_WITH_RC4_128_SHA`: tls.TLS_RSA_WITH_RC4_128_SHA, + `TLS_RSA_WITH_3DES_EDE_CBC_SHA`: tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA, + `TLS_RSA_WITH_AES_128_CBC_SHA`: tls.TLS_RSA_WITH_AES_128_CBC_SHA, + `TLS_RSA_WITH_AES_256_CBC_SHA`: tls.TLS_RSA_WITH_AES_256_CBC_SHA, + `TLS_RSA_WITH_AES_128_CBC_SHA256`: tls.TLS_RSA_WITH_AES_128_CBC_SHA256, + `TLS_RSA_WITH_AES_128_GCM_SHA256`: tls.TLS_RSA_WITH_AES_128_GCM_SHA256, + `TLS_RSA_WITH_AES_256_GCM_SHA384`: tls.TLS_RSA_WITH_AES_256_GCM_SHA384, + `TLS_ECDHE_ECDSA_WITH_RC4_128_SHA`: tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, + `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`: tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`: tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + `TLS_ECDHE_RSA_WITH_RC4_128_SHA`: tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA, + `TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA`: tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, + `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`: tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`: tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`: tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, + `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`: tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, + `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`: tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`: tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`: tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`: tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305`: tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, + `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256`: tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, + `TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305`: tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, + `TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256`: tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, + `TLS_AES_128_GCM_SHA256`: tls.TLS_AES_128_GCM_SHA256, + `TLS_AES_256_GCM_SHA384`: tls.TLS_AES_256_GCM_SHA384, + `TLS_CHACHA20_POLY1305_SHA256`: tls.TLS_CHACHA20_POLY1305_SHA256, + `TLS_FALLBACK_SCSV`: tls.TLS_FALLBACK_SCSV, + } + + // CipherSuitesReversed Map of TLS CipherSuites from crypto/tls + // Available CipherSuites defined at https://golang.org/pkg/crypto/tls/#pkg-constants + CipherSuitesReversed = map[uint16]string{ + tls.TLS_RSA_WITH_RC4_128_SHA: `TLS_RSA_WITH_RC4_128_SHA`, + tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA: `TLS_RSA_WITH_3DES_EDE_CBC_SHA`, + tls.TLS_RSA_WITH_AES_128_CBC_SHA: `TLS_RSA_WITH_AES_128_CBC_SHA`, + tls.TLS_RSA_WITH_AES_256_CBC_SHA: `TLS_RSA_WITH_AES_256_CBC_SHA`, + tls.TLS_RSA_WITH_AES_128_CBC_SHA256: `TLS_RSA_WITH_AES_128_CBC_SHA256`, + tls.TLS_RSA_WITH_AES_128_GCM_SHA256: `TLS_RSA_WITH_AES_128_GCM_SHA256`, + tls.TLS_RSA_WITH_AES_256_GCM_SHA384: `TLS_RSA_WITH_AES_256_GCM_SHA384`, + tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA: `TLS_ECDHE_ECDSA_WITH_RC4_128_SHA`, + tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`, + tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`, + tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA: `TLS_ECDHE_RSA_WITH_RC4_128_SHA`, + tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA: `TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA`, + tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`, + tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`, + tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`, + tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`, + tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`, + tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`, + tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`, + tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`, + tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256`, + tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: `TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256`, + tls.TLS_AES_128_GCM_SHA256: `TLS_AES_128_GCM_SHA256`, + tls.TLS_AES_256_GCM_SHA384: `TLS_AES_256_GCM_SHA384`, + tls.TLS_CHACHA20_POLY1305_SHA256: `TLS_CHACHA20_POLY1305_SHA256`, + tls.TLS_FALLBACK_SCSV: `TLS_FALLBACK_SCSV`, + } +) diff --git a/pkg/tls/cipher_test.go b/pkg/tls/cipher_test.go new file mode 100644 index 000000000..eca131e04 --- /dev/null +++ b/pkg/tls/cipher_test.go @@ -0,0 +1,30 @@ +package tls + +import ( + "testing" +) + +func TestCiphersMapsSync(t *testing.T) { + for k, v := range CipherSuites { + // Following names are legacy aliases. + // We do not test for their presence in CipherSuitesReversed + switch k { + case "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305": + continue + } + + if rv, ok := CipherSuitesReversed[v]; !ok { + t.Errorf("Maps not in sync: `%d` key is missing in tls.CipherSuitesReversed", v) + } else if k != rv { + t.Errorf("Maps not in sync: tls.CipherSuites[%s] = `%d` AND tls.CipherSuitesReversed[`%d`] = `%v`", k, v, v, rv) + } + } + + for k, v := range CipherSuitesReversed { + if rv, ok := CipherSuites[v]; !ok { + t.Errorf("Maps not in sync: `%s` key is missing in tls.CipherSuites", v) + } else if k != rv { + t.Errorf("Maps not in sync: tls.CipherSuitesReversed[`%d`] = `%s` AND tls.CipherSuites[`%s`] = `%d`", k, v, v, rv) + } + } +}