Merge pull request #1392 from stevendanna/tls-configuration

Bump minimum TLS protocol to TLSv1.2
This commit is contained in:
Stephan Renatus 2019-01-29 12:48:57 +01:00 committed by GitHub
commit 81f155882a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -116,13 +116,19 @@ func serve(cmd *cobra.Command, args []string) error {
var grpcOptions []grpc.ServerOption var grpcOptions []grpc.ServerOption
if c.GRPC.TLSCert != "" { if c.GRPC.TLSCert != "" {
if c.GRPC.TLSClientCA != "" {
// Parse certificates from certificate file and key file for server. // Parse certificates from certificate file and key file for server.
cert, err := tls.LoadX509KeyPair(c.GRPC.TLSCert, c.GRPC.TLSKey) cert, err := tls.LoadX509KeyPair(c.GRPC.TLSCert, c.GRPC.TLSKey)
if err != nil { if err != nil {
return fmt.Errorf("invalid config: error parsing gRPC certificate file: %v", err) return fmt.Errorf("invalid config: error parsing gRPC certificate file: %v", err)
} }
tlsConfig := tls.Config{
Certificates: []tls.Certificate{cert},
MinVersion: tls.VersionTLS12,
PreferServerCipherSuites: true,
}
if c.GRPC.TLSClientCA != "" {
// Parse certificates from client CA file to a new CertPool. // Parse certificates from client CA file to a new CertPool.
cPool := x509.NewCertPool() cPool := x509.NewCertPool()
clientCert, err := ioutil.ReadFile(c.GRPC.TLSClientCA) clientCert, err := ioutil.ReadFile(c.GRPC.TLSClientCA)
@ -133,23 +139,17 @@ func serve(cmd *cobra.Command, args []string) error {
return errors.New("invalid config: failed to parse client CA") return errors.New("invalid config: failed to parse client CA")
} }
tlsConfig := tls.Config{ tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
Certificates: []tls.Certificate{cert}, tlsConfig.ClientCAs = cPool
ClientAuth: tls.RequireAndVerifyClientCert,
ClientCAs: cPool, // Only add metrics if client auth is enabled
}
grpcOptions = append(grpcOptions, grpcOptions = append(grpcOptions,
grpc.Creds(credentials.NewTLS(&tlsConfig)),
grpc.StreamInterceptor(grpcMetrics.StreamServerInterceptor()), grpc.StreamInterceptor(grpcMetrics.StreamServerInterceptor()),
grpc.UnaryInterceptor(grpcMetrics.UnaryServerInterceptor()), grpc.UnaryInterceptor(grpcMetrics.UnaryServerInterceptor()),
) )
} else {
opt, err := credentials.NewServerTLSFromFile(c.GRPC.TLSCert, c.GRPC.TLSKey)
if err != nil {
return fmt.Errorf("invalid config: load grpc certs: %v", err)
}
grpcOptions = append(grpcOptions, grpc.Creds(opt))
} }
grpcOptions = append(grpcOptions, grpc.Creds(credentials.NewTLS(&tlsConfig)))
} }
s, err := c.Storage.Config.Open(logger) s, err := c.Storage.Config.Open(logger)
@ -275,9 +275,18 @@ func serve(cmd *cobra.Command, args []string) error {
}() }()
} }
if c.Web.HTTPS != "" { if c.Web.HTTPS != "" {
httpsSrv := &http.Server{
Addr: c.Web.HTTPS,
Handler: serv,
TLSConfig: &tls.Config{
PreferServerCipherSuites: true,
MinVersion: tls.VersionTLS12,
},
}
logger.Infof("listening (https) on %s", c.Web.HTTPS) logger.Infof("listening (https) on %s", c.Web.HTTPS)
go func() { go func() {
err := http.ListenAndServeTLS(c.Web.HTTPS, c.Web.TLSCert, c.Web.TLSKey, serv) err = httpsSrv.ListenAndServeTLS(c.Web.TLSCert, c.Web.TLSKey)
errc <- fmt.Errorf("listening on %s failed: %v", c.Web.HTTPS, err) errc <- fmt.Errorf("listening on %s failed: %v", c.Web.HTTPS, err)
}() }()
} }