Change default TLS options for more security
This commit is contained in:
parent
703de5331b
commit
c84378d649
5 changed files with 59 additions and 75 deletions
|
@ -3,10 +3,11 @@
|
||||||
This page is maintained and updated periodically to reflect our roadmap and any decisions around feature deprecation.
|
This page is maintained and updated periodically to reflect our roadmap and any decisions around feature deprecation.
|
||||||
|
|
||||||
| Feature | Deprecated | End of Support | Removal |
|
| Feature | Deprecated | End of Support | Removal |
|
||||||
|---------------------------------------------------------------|------------|----------------|---------|
|
|-------------------------------------------------------------|------------|----------------|---------|
|
||||||
| [Pilot Dashboard (Metrics)](#pilot-dashboard-metrics) | 2.7 | 2.8 | 3.0 |
|
| [Pilot Dashboard (Metrics)](#pilot-dashboard-metrics) | 2.7 | 2.8 | 3.0 |
|
||||||
| [Pilot Plugins](#pilot-plugins) | 2.7 | 2.8 | 3.0 |
|
| [Pilot Plugins](#pilot-plugins) | 2.7 | 2.8 | 3.0 |
|
||||||
| [Consul Enterprise Namespace](#consul-enterprise-namespace) | 2.8 | N/A | 3.0 |
|
| [Consul Enterprise Namespace](#consul-enterprise-namespace) | 2.8 | N/A | 3.0 |
|
||||||
|
| [TLS 1.0 and 1.1 Support](#tls-10-and-11) | N/A | 2.8 | N/A |
|
||||||
|
|
||||||
## Impact
|
## Impact
|
||||||
|
|
||||||
|
@ -24,3 +25,7 @@ At 2.9, a new plugin catalog home should be available, decoupled from pilot.
|
||||||
|
|
||||||
Starting on 2.8 the `namespace` option of Consul and Consul Catalog providers is deprecated,
|
Starting on 2.8 the `namespace` option of Consul and Consul Catalog providers is deprecated,
|
||||||
please use the `namespaces` options instead.
|
please use the `namespaces` options instead.
|
||||||
|
|
||||||
|
### TLS 1.0 and 1.1
|
||||||
|
|
||||||
|
Starting on 2.8 the default TLS options will use the minimum version of TLS 1.2. Of course, it can still be overridden with custom configuration.
|
||||||
|
|
|
@ -182,13 +182,7 @@ func Test_mergeConfiguration_tlsOptions(t *testing.T) {
|
||||||
desc: "Nil returns an empty configuration",
|
desc: "Nil returns an empty configuration",
|
||||||
given: nil,
|
given: nil,
|
||||||
expected: map[string]tls.Options{
|
expected: map[string]tls.Options{
|
||||||
"default": {
|
"default": tls.DefaultTLSOptions,
|
||||||
ALPNProtocols: []string{
|
|
||||||
"h2",
|
|
||||||
"http/1.1",
|
|
||||||
"acme-tls/1",
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
@ -205,13 +199,7 @@ func Test_mergeConfiguration_tlsOptions(t *testing.T) {
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
expected: map[string]tls.Options{
|
expected: map[string]tls.Options{
|
||||||
"default": {
|
"default": tls.DefaultTLSOptions,
|
||||||
ALPNProtocols: []string{
|
|
||||||
"h2",
|
|
||||||
"http/1.1",
|
|
||||||
"acme-tls/1",
|
|
||||||
},
|
|
||||||
},
|
|
||||||
"foo@provider-1": {
|
"foo@provider-1": {
|
||||||
MinVersion: "VersionTLS12",
|
MinVersion: "VersionTLS12",
|
||||||
},
|
},
|
||||||
|
@ -240,13 +228,7 @@ func Test_mergeConfiguration_tlsOptions(t *testing.T) {
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
expected: map[string]tls.Options{
|
expected: map[string]tls.Options{
|
||||||
"default": {
|
"default": tls.DefaultTLSOptions,
|
||||||
ALPNProtocols: []string{
|
|
||||||
"h2",
|
|
||||||
"http/1.1",
|
|
||||||
"acme-tls/1",
|
|
||||||
},
|
|
||||||
},
|
|
||||||
"foo@provider-1": {
|
"foo@provider-1": {
|
||||||
MinVersion: "VersionTLS13",
|
MinVersion: "VersionTLS13",
|
||||||
},
|
},
|
||||||
|
@ -352,13 +334,7 @@ func Test_mergeConfiguration_tlsOptions(t *testing.T) {
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
expected: map[string]tls.Options{
|
expected: map[string]tls.Options{
|
||||||
"default": {
|
"default": tls.DefaultTLSOptions,
|
||||||
ALPNProtocols: []string{
|
|
||||||
"h2",
|
|
||||||
"http/1.1",
|
|
||||||
"acme-tls/1",
|
|
||||||
},
|
|
||||||
},
|
|
||||||
"foo@provider-1": {
|
"foo@provider-1": {
|
||||||
MinVersion: "VersionTLS12",
|
MinVersion: "VersionTLS12",
|
||||||
},
|
},
|
||||||
|
|
|
@ -95,13 +95,7 @@ func TestNewConfigurationWatcher(t *testing.T) {
|
||||||
},
|
},
|
||||||
TLS: &dynamic.TLSConfiguration{
|
TLS: &dynamic.TLSConfiguration{
|
||||||
Options: map[string]tls.Options{
|
Options: map[string]tls.Options{
|
||||||
"default": {
|
"default": tls.DefaultTLSOptions,
|
||||||
ALPNProtocols: []string{
|
|
||||||
"h2",
|
|
||||||
"http/1.1",
|
|
||||||
"acme-tls/1",
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
},
|
||||||
Stores: map[string]tls.Store{},
|
Stores: map[string]tls.Store{},
|
||||||
},
|
},
|
||||||
|
@ -238,13 +232,7 @@ func TestIgnoreTransientConfiguration(t *testing.T) {
|
||||||
},
|
},
|
||||||
TLS: &dynamic.TLSConfiguration{
|
TLS: &dynamic.TLSConfiguration{
|
||||||
Options: map[string]tls.Options{
|
Options: map[string]tls.Options{
|
||||||
"default": {
|
"default": tls.DefaultTLSOptions,
|
||||||
ALPNProtocols: []string{
|
|
||||||
"h2",
|
|
||||||
"http/1.1",
|
|
||||||
"acme-tls/1",
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
},
|
||||||
Stores: map[string]tls.Store{},
|
Stores: map[string]tls.Store{},
|
||||||
},
|
},
|
||||||
|
@ -408,13 +396,7 @@ func TestListenProvidersDoesNotSkipFlappingConfiguration(t *testing.T) {
|
||||||
},
|
},
|
||||||
TLS: &dynamic.TLSConfiguration{
|
TLS: &dynamic.TLSConfiguration{
|
||||||
Options: map[string]tls.Options{
|
Options: map[string]tls.Options{
|
||||||
"default": {
|
"default": tls.DefaultTLSOptions,
|
||||||
ALPNProtocols: []string{
|
|
||||||
"h2",
|
|
||||||
"http/1.1",
|
|
||||||
"acme-tls/1",
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
},
|
||||||
Stores: map[string]tls.Store{},
|
Stores: map[string]tls.Store{},
|
||||||
},
|
},
|
||||||
|
@ -503,13 +485,7 @@ func TestListenProvidersIgnoreSameConfig(t *testing.T) {
|
||||||
},
|
},
|
||||||
TLS: &dynamic.TLSConfiguration{
|
TLS: &dynamic.TLSConfiguration{
|
||||||
Options: map[string]tls.Options{
|
Options: map[string]tls.Options{
|
||||||
"default": {
|
"default": tls.DefaultTLSOptions,
|
||||||
ALPNProtocols: []string{
|
|
||||||
"h2",
|
|
||||||
"http/1.1",
|
|
||||||
"acme-tls/1",
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
},
|
||||||
Stores: map[string]tls.Store{},
|
Stores: map[string]tls.Store{},
|
||||||
},
|
},
|
||||||
|
@ -642,13 +618,7 @@ func TestListenProvidersIgnoreIntermediateConfigs(t *testing.T) {
|
||||||
},
|
},
|
||||||
TLS: &dynamic.TLSConfiguration{
|
TLS: &dynamic.TLSConfiguration{
|
||||||
Options: map[string]tls.Options{
|
Options: map[string]tls.Options{
|
||||||
"default": {
|
"default": tls.DefaultTLSOptions,
|
||||||
ALPNProtocols: []string{
|
|
||||||
"h2",
|
|
||||||
"http/1.1",
|
|
||||||
"acme-tls/1",
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
},
|
||||||
Stores: map[string]tls.Store{},
|
Stores: map[string]tls.Store{},
|
||||||
},
|
},
|
||||||
|
@ -710,13 +680,7 @@ func TestListenProvidersPublishesConfigForEachProvider(t *testing.T) {
|
||||||
},
|
},
|
||||||
TLS: &dynamic.TLSConfiguration{
|
TLS: &dynamic.TLSConfiguration{
|
||||||
Options: map[string]tls.Options{
|
Options: map[string]tls.Options{
|
||||||
"default": {
|
"default": tls.DefaultTLSOptions,
|
||||||
ALPNProtocols: []string{
|
|
||||||
"h2",
|
|
||||||
"http/1.1",
|
|
||||||
"acme-tls/1",
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
},
|
||||||
Stores: map[string]tls.Store{},
|
Stores: map[string]tls.Store{},
|
||||||
},
|
},
|
||||||
|
|
|
@ -27,6 +27,17 @@ const (
|
||||||
var DefaultTLSOptions = Options{
|
var DefaultTLSOptions = Options{
|
||||||
// ensure http2 enabled
|
// ensure http2 enabled
|
||||||
ALPNProtocols: []string{"h2", "http/1.1", tlsalpn01.ACMETLS1Protocol},
|
ALPNProtocols: []string{"h2", "http/1.1", tlsalpn01.ACMETLS1Protocol},
|
||||||
|
MinVersion: "VersionTLS12",
|
||||||
|
CipherSuites: getCipherSuites(),
|
||||||
|
}
|
||||||
|
|
||||||
|
func getCipherSuites() []string {
|
||||||
|
gsc := tls.CipherSuites()
|
||||||
|
ciphers := make([]string, len(gsc))
|
||||||
|
for idx, cs := range gsc {
|
||||||
|
ciphers[idx] = cs.Name
|
||||||
|
}
|
||||||
|
return ciphers
|
||||||
}
|
}
|
||||||
|
|
||||||
// Manager is the TLS option/store/configuration factory.
|
// Manager is the TLS option/store/configuration factory.
|
||||||
|
|
|
@ -347,3 +347,31 @@ func TestClientAuth(t *testing.T) {
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestManager_Get_DefaultValues(t *testing.T) {
|
||||||
|
tlsManager := NewManager()
|
||||||
|
|
||||||
|
// Ensures we won't break things for Traefik users when updating Go
|
||||||
|
config, _ := tlsManager.Get("default", "default")
|
||||||
|
assert.Equal(t, config.MinVersion, uint16(tls.VersionTLS12))
|
||||||
|
assert.Equal(t, config.NextProtos, []string{"h2", "http/1.1", "acme-tls/1"})
|
||||||
|
assert.Equal(t, config.CipherSuites, []uint16{
|
||||||
|
tls.TLS_RSA_WITH_AES_128_CBC_SHA,
|
||||||
|
tls.TLS_RSA_WITH_AES_256_CBC_SHA,
|
||||||
|
tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
|
||||||
|
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
|
||||||
|
tls.TLS_AES_128_GCM_SHA256,
|
||||||
|
tls.TLS_AES_256_GCM_SHA384,
|
||||||
|
tls.TLS_CHACHA20_POLY1305_SHA256,
|
||||||
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
|
||||||
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
|
||||||
|
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
|
||||||
|
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
|
||||||
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
||||||
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
||||||
|
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
||||||
|
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
||||||
|
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
|
||||||
|
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in a new issue