tls: support tls 1.3 (#7325)

This commit is contained in:
Hans Hasselberg 2020-02-19 23:22:31 +01:00 committed by GitHub
parent eefcac15ca
commit 322367d476
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 33 additions and 11 deletions

View file

@ -1423,7 +1423,8 @@ type RuntimeConfig struct {
TLSCipherSuites []uint16
// TLSMinVersion is used to set the minimum TLS version used for TLS
// connections. Should be either "tls10", "tls11", or "tls12".
// connections. Should be either "tls10", "tls11", "tls12" or "tls13".
// Defaults to tls12.
//
// hcl: tls_min_version = string
TLSMinVersion string

View file

@ -4,15 +4,17 @@ import (
"crypto/tls"
"crypto/x509"
"fmt"
"github.com/hashicorp/consul/logging"
"github.com/hashicorp/go-hclog"
"io/ioutil"
"net"
"os"
"path/filepath"
"sort"
"strings"
"sync"
"time"
"github.com/hashicorp/consul/logging"
"github.com/hashicorp/go-hclog"
)
// DCWrapper is a function that is used to wrap a non-TLS connection
@ -30,8 +32,12 @@ var TLSLookup = map[string]uint16{
"tls10": tls.VersionTLS10,
"tls11": tls.VersionTLS11,
"tls12": tls.VersionTLS12,
"tls13": tls.VersionTLS13,
}
// TLSVersions has all the keys from the map above.
var TLSVersions = strings.Join(tlsVersions(), ", ")
// Config used to create tls.Config
type Config struct {
// VerifyIncoming is used to verify the authenticity of incoming
@ -120,6 +126,17 @@ type Config struct {
AutoEncryptTLS bool
}
func tlsVersions() []string {
versions := []string{}
for v := range TLSLookup {
if v != "" {
versions = append(versions, v)
}
}
sort.Strings(versions)
return versions
}
// KeyPair is used to open and parse a certificate and key file
func (c *Config) KeyPair() (*tls.Certificate, error) {
return loadKeyPair(c.CertFile, c.KeyFile)
@ -323,7 +340,7 @@ func (c *Configurator) check(config Config, pool *x509.CertPool, cert *tls.Certi
// Check if a minimum TLS version was set
if config.TLSMinVersion != "" {
if _, ok := TLSLookup[config.TLSMinVersion]; !ok {
return fmt.Errorf("TLSMinVersion: value %s not supported, please specify one of [tls10,tls11,tls12]", config.TLSMinVersion)
return fmt.Errorf("TLSMinVersion: value %s not supported, please specify one of [%s]", config.TLSMinVersion, TLSVersions)
}
}

View file

@ -360,9 +360,6 @@ func TestConfigurator_ErrorPropagation(t *testing.T) {
{Config{}, false, false}, // 1
{Config{TLSMinVersion: "tls9"}, true, false}, // 1
{Config{TLSMinVersion: ""}, false, false}, // 2
{Config{TLSMinVersion: "tls10"}, false, false}, // 3
{Config{TLSMinVersion: "tls11"}, false, false}, // 4
{Config{TLSMinVersion: "tls12"}, false, false}, // 5
{Config{VerifyOutgoing: true, CAFile: "", CAPath: ""}, true, false}, // 6
{Config{VerifyOutgoing: false, CAFile: "", CAPath: ""}, false, false}, // 7
{Config{VerifyOutgoing: false, CAFile: cafile, CAPath: ""},
@ -390,6 +387,9 @@ func TestConfigurator_ErrorPropagation(t *testing.T) {
{Config{CAFile: "bogus"}, true, true}, // 21
{Config{CAPath: "bogus"}, true, true}, // 22
}
for _, v := range tlsVersions() {
variants = append(variants, variant{Config{TLSMinVersion: v}, false, false})
}
c := Configurator{autoEncrypt: &autoEncrypt{}, manual: &manual{}}
for i, v := range variants {
@ -590,8 +590,7 @@ func TestConfigurator_CommonTLSConfigTLSMinVersion(t *testing.T) {
require.NoError(t, err)
require.Equal(t, c.commonTLSConfig(false).MinVersion, TLSLookup["tls10"])
tlsVersions := []string{"tls10", "tls11", "tls12"}
for _, version := range tlsVersions {
for _, version := range tlsVersions() {
require.NoError(t, c.Update(Config{TLSMinVersion: version}))
require.Equal(t, c.commonTLSConfig(false).MinVersion,
TLSLookup[version])
@ -839,3 +838,8 @@ func TestConfigurator_AutoEncrytCertExpired(t *testing.T) {
c.autoEncrypt.cert = cert
require.False(t, c.AutoEncryptCertExpired())
}
func TestConfig_tlsVersions(t *testing.T) {
require.Equal(t, []string{"tls10", "tls11", "tls12", "tls13"}, tlsVersions())
require.Equal(t, strings.Join(tlsVersions(), ", "), TLSVersions)
}

View file

@ -1830,8 +1830,8 @@ to the old fragment -->
facility messages are sent. By default, `LOCAL0` will be used.
* <a name="tls_min_version"></a><a href="#tls_min_version">`tls_min_version`</a> Added in Consul
0.7.4, this specifies the minimum supported version of TLS. Accepted values are "tls10", "tls11"
or "tls12". This defaults to "tls12". WARNING: TLS 1.1 and lower are generally considered less
0.7.4, this specifies the minimum supported version of TLS. Accepted values are "tls10", "tls11",
"tls12", or "tls13". This defaults to "tls12". WARNING: TLS 1.1 and lower are generally considered less
secure; avoid using these if possible.
* <a name="tls_cipher_suites"></a><a href="#tls_cipher_suites">`tls_cipher_suites`</a> Added in Consul