Change default TLS options for more security

This commit is contained in:
Douglas De Toni Machado 2022-09-08 05:56:08 -03:00 committed by GitHub
parent 703de5331b
commit c84378d649
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 59 additions and 75 deletions

View file

@ -2,11 +2,12 @@
This page is maintained and updated periodically to reflect our roadmap and any decisions around feature deprecation.
| Feature | Deprecated | End of Support | Removal |
|---------------------------------------------------------------|------------|----------------|---------|
| [Pilot Dashboard (Metrics)](#pilot-dashboard-metrics) | 2.7 | 2.8 | 3.0 |
| [Pilot Plugins](#pilot-plugins) | 2.7 | 2.8 | 3.0 |
| [Consul Enterprise Namespace](#consul-enterprise-namespace) | 2.8 | N/A | 3.0 |
| Feature | Deprecated | End of Support | Removal |
|-------------------------------------------------------------|------------|----------------|---------|
| [Pilot Dashboard (Metrics)](#pilot-dashboard-metrics) | 2.7 | 2.8 | 3.0 |
| [Pilot Plugins](#pilot-plugins) | 2.7 | 2.8 | 3.0 |
| [Consul Enterprise Namespace](#consul-enterprise-namespace) | 2.8 | N/A | 3.0 |
| [TLS 1.0 and 1.1 Support](#tls-10-and-11) | N/A | 2.8 | N/A |
## Impact
@ -24,3 +25,7 @@ At 2.9, a new plugin catalog home should be available, decoupled from pilot.
Starting on 2.8 the `namespace` option of Consul and Consul Catalog providers is deprecated,
please use the `namespaces` options instead.
### TLS 1.0 and 1.1
Starting on 2.8 the default TLS options will use the minimum version of TLS 1.2. Of course, it can still be overridden with custom configuration.

View file

@ -182,13 +182,7 @@ func Test_mergeConfiguration_tlsOptions(t *testing.T) {
desc: "Nil returns an empty configuration",
given: nil,
expected: map[string]tls.Options{
"default": {
ALPNProtocols: []string{
"h2",
"http/1.1",
"acme-tls/1",
},
},
"default": tls.DefaultTLSOptions,
},
},
{
@ -205,13 +199,7 @@ func Test_mergeConfiguration_tlsOptions(t *testing.T) {
},
},
expected: map[string]tls.Options{
"default": {
ALPNProtocols: []string{
"h2",
"http/1.1",
"acme-tls/1",
},
},
"default": tls.DefaultTLSOptions,
"foo@provider-1": {
MinVersion: "VersionTLS12",
},
@ -240,13 +228,7 @@ func Test_mergeConfiguration_tlsOptions(t *testing.T) {
},
},
expected: map[string]tls.Options{
"default": {
ALPNProtocols: []string{
"h2",
"http/1.1",
"acme-tls/1",
},
},
"default": tls.DefaultTLSOptions,
"foo@provider-1": {
MinVersion: "VersionTLS13",
},
@ -352,13 +334,7 @@ func Test_mergeConfiguration_tlsOptions(t *testing.T) {
},
},
expected: map[string]tls.Options{
"default": {
ALPNProtocols: []string{
"h2",
"http/1.1",
"acme-tls/1",
},
},
"default": tls.DefaultTLSOptions,
"foo@provider-1": {
MinVersion: "VersionTLS12",
},

View file

@ -95,13 +95,7 @@ func TestNewConfigurationWatcher(t *testing.T) {
},
TLS: &dynamic.TLSConfiguration{
Options: map[string]tls.Options{
"default": {
ALPNProtocols: []string{
"h2",
"http/1.1",
"acme-tls/1",
},
},
"default": tls.DefaultTLSOptions,
},
Stores: map[string]tls.Store{},
},
@ -238,13 +232,7 @@ func TestIgnoreTransientConfiguration(t *testing.T) {
},
TLS: &dynamic.TLSConfiguration{
Options: map[string]tls.Options{
"default": {
ALPNProtocols: []string{
"h2",
"http/1.1",
"acme-tls/1",
},
},
"default": tls.DefaultTLSOptions,
},
Stores: map[string]tls.Store{},
},
@ -408,13 +396,7 @@ func TestListenProvidersDoesNotSkipFlappingConfiguration(t *testing.T) {
},
TLS: &dynamic.TLSConfiguration{
Options: map[string]tls.Options{
"default": {
ALPNProtocols: []string{
"h2",
"http/1.1",
"acme-tls/1",
},
},
"default": tls.DefaultTLSOptions,
},
Stores: map[string]tls.Store{},
},
@ -503,13 +485,7 @@ func TestListenProvidersIgnoreSameConfig(t *testing.T) {
},
TLS: &dynamic.TLSConfiguration{
Options: map[string]tls.Options{
"default": {
ALPNProtocols: []string{
"h2",
"http/1.1",
"acme-tls/1",
},
},
"default": tls.DefaultTLSOptions,
},
Stores: map[string]tls.Store{},
},
@ -642,13 +618,7 @@ func TestListenProvidersIgnoreIntermediateConfigs(t *testing.T) {
},
TLS: &dynamic.TLSConfiguration{
Options: map[string]tls.Options{
"default": {
ALPNProtocols: []string{
"h2",
"http/1.1",
"acme-tls/1",
},
},
"default": tls.DefaultTLSOptions,
},
Stores: map[string]tls.Store{},
},
@ -710,13 +680,7 @@ func TestListenProvidersPublishesConfigForEachProvider(t *testing.T) {
},
TLS: &dynamic.TLSConfiguration{
Options: map[string]tls.Options{
"default": {
ALPNProtocols: []string{
"h2",
"http/1.1",
"acme-tls/1",
},
},
"default": tls.DefaultTLSOptions,
},
Stores: map[string]tls.Store{},
},

View file

@ -27,6 +27,17 @@ const (
var DefaultTLSOptions = Options{
// ensure http2 enabled
ALPNProtocols: []string{"h2", "http/1.1", tlsalpn01.ACMETLS1Protocol},
MinVersion: "VersionTLS12",
CipherSuites: getCipherSuites(),
}
func getCipherSuites() []string {
gsc := tls.CipherSuites()
ciphers := make([]string, len(gsc))
for idx, cs := range gsc {
ciphers[idx] = cs.Name
}
return ciphers
}
// Manager is the TLS option/store/configuration factory.

View file

@ -347,3 +347,31 @@ func TestClientAuth(t *testing.T) {
})
}
}
func TestManager_Get_DefaultValues(t *testing.T) {
tlsManager := NewManager()
// Ensures we won't break things for Traefik users when updating Go
config, _ := tlsManager.Get("default", "default")
assert.Equal(t, config.MinVersion, uint16(tls.VersionTLS12))
assert.Equal(t, config.NextProtos, []string{"h2", "http/1.1", "acme-tls/1"})
assert.Equal(t, config.CipherSuites, []uint16{
tls.TLS_RSA_WITH_AES_128_CBC_SHA,
tls.TLS_RSA_WITH_AES_256_CBC_SHA,
tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_AES_128_GCM_SHA256,
tls.TLS_AES_256_GCM_SHA384,
tls.TLS_CHACHA20_POLY1305_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
})
}