Commit graph

77 commits

Author SHA1 Message Date
Hans Hasselberg e00effa325
agent: setup grpc server with auto_encrypt certs and add -https-port (#7086)
* setup grpc server with TLS config used across consul.
* add -https-port flag
2020-01-22 11:32:17 +01:00
Hans Hasselberg 0ee74f1a00
tests: switch to WithinDuration to improve test (#6860)
* Switch to WithinDuration to improve test

This test was flaky before because of the time logic. Now it uses
WithinDuration and should be correct.

Fixes https://github.com/hashicorp/consul/issues/6857.
2019-12-13 17:42:42 +01:00
Hans Hasselberg 368d5c643f
tls: auto_encrypt and verify_incoming (#6811) (#6899)
* relax requirements for auto_encrypt on server
* better error message when auto_encrypt and verify_incoming on
* docs: explain verify_incoming on Consul clients.
2019-12-06 21:36:13 +01:00
Hans Hasselberg 707efc5b39 tls: return auto_encrypt cert for listeners (#6489)
* fix cert check

* fix lock

* add tests

* test: add comments describing expected behavior for auto-encrypt and manual certificates

* test: expect nil *tls.Certificate for empty string certFile or keyFile arg
2019-11-12 13:40:32 -05:00
R.B. Boyer cc889443a5
connect: don't colon-hex-encode the AuthorityKeyId and SubjectKeyId fields in connect certs (#6492)
The fields in the certs are meant to hold the original binary
representation of this data, not some ascii-encoded version.

The only time we should be colon-hex-encoding fields is for display
purposes or marshaling through non-TLS mediums (like RPC).
2019-09-23 12:52:35 -05:00
Todd Radel 1b14d6595e
connect: Support RSA keys in addition to ECDSA (#6055)
Support RSA keys in addition to ECDSA
2019-07-30 17:47:39 -04:00
Hans Hasselberg 73c4e9f07c
tls: auto_encrypt enables automatic RPC cert provisioning for consul clients (#5597) 2019-06-27 22:22:07 +02:00
Hans Hasselberg d511e86491
agent: enable reloading of tls config (#5419)
This PR introduces reloading tls configuration. Consul will now be able to reload the TLS configuration which previously required a restart. It is not yet possible to turn TLS ON or OFF with these changes. Only when TLS is already turned on, the configuration can be reloaded. Most importantly the certificates and CAs.
2019-03-13 10:29:06 +01:00
R.B. Boyer 91e78e00c7
fix typos reported by golangci-lint:misspell (#5434) 2019-03-06 11:13:28 -06:00
Hans Hasselberg af1de3c81c
tlsutil: don't use server_name config for RPC connections (#5394)
* server name only for outgoing https for checks
2019-03-05 21:35:43 +01:00
Hans Hasselberg c6ad6daa09
Centralise tls configuration part 2 (#5374)
This PR is based on #5366 and continues to centralise the tls configuration in order to be reloadable eventually!

This PR is another refactoring. No tests are changed, beyond calling other functions or cosmetic stuff. I added a bunch of tests, even though they might be redundant.
2019-02-27 10:14:59 +01:00
Hans Hasselberg 75ababb54f
Centralise tls configuration part 1 (#5366)
In order to be able to reload the TLS configuration, we need one way to generate the different configurations.

This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`.

This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 16:52:07 +01:00
Hans Hasselberg d7e96cd4ae agent: honor when ca is set but verify_outgoing is disabled (#4826)
* honor when verify_outgoing is false but ca is set

* Remove code that exists only for tests

* fix formatting
2018-12-17 09:56:18 -08:00
Jack Pearkes 9d170164e4
Documentation and changes for verify_server_hostname (#5069)
* verify_server_hostname implies verify_outgoing

* mention CVE in the docs.
2018-12-06 13:51:49 -08:00
Devin Canterberry 881d20c606
🐛 Formatting changes only; add missing trailing commas 2018-03-15 10:19:46 -07:00
Devin Canterberry ece32fce53
🔒 Update supported TLS cipher suites
The list of cipher suites included in this commit are consistent with
the values and precedence in the [Golang TLS documentation](https://golang.org/src/crypto/tls/cipher_suites.go).

> **Note:** Cipher suites with RC4 are still included within the list
> of accepted values for compatibility, but **these cipher suites are
> not safe to use** and should be deprecated with warnings and
> subsequently removed. Support for RC4 ciphers has already been
> removed or disabled by default in many prominent browsers and tools,
> including Golang.
>
> **References:**
>
>  * [RC4 on Wikipedia](https://en.wikipedia.org/wiki/RC4)
>  * [Mozilla Security Blog](https://blog.mozilla.org/security/2015/09/11/deprecating-the-rc4-cipher/)
2018-03-15 10:19:46 -07:00
James Phillips e8eafc4809
Removes stale TLS config clone() in favor of new supported method. 2018-01-10 15:24:26 -08:00
Kyle Havlovitz e4af6583f5 Add a path for transitioning to TLS on an existing cluster (#3001)
Fixes #1705
2017-05-10 14:25:48 -07:00
Kyle Havlovitz 42cf797ad9 Add TLS cipher suite options and CA path support (#2963)
This patch adds options to configure the available
TLS cipher suites and adds support for a path
for multiple CA certificates.

Fixes #2959
2017-04-27 01:29:39 -07:00
Frank Schroeder 9de4555c0c golint: Untangle if blocks with return in else 2017-04-25 09:26:13 -07:00
Kyle Havlovitz 086975ac0a
Add TLSMinVersion to config options 2017-02-01 16:20:33 -05:00
James Phillips 022fce0147 Upgrades to Go 1.7 and fixes vet finding and TLS behavior change. (#2281)
* Upgrades to Go 1.7 and fixes vet finding and TLS behavior change.

* Fixes unit tests in a better manner by closing the client connection on errors.

We traced through and realized that https://github.com/golang/go/issues/15709
causes the output from the client to get buffered, which cuts off the alert
feedback due to the flush() call getting bypassed by the error return.
2016-11-07 18:15:26 -08:00
Armon Dadgar 7ab35416fb tlsutil: Testing hostname verification 2015-05-11 16:05:39 -07:00
Armon Dadgar b9d640aa3b tlsutil: Testing VerifyServerHostname on OutgoingConfig 2015-05-11 15:27:09 -07:00
Armon Dadgar 1f984dfea8 tlsutil: Adding wrappers for hostname verification 2015-05-11 15:14:56 -07:00
Armon Dadgar 0299278b5b tls: define wrapper type 2015-05-11 13:09:19 -07:00
Atin Malaviya b4424a1a50 Moved TLS Config stuff to tlsutil package 2014-11-18 11:03:36 -05:00