Merge pull request #4269 from hashicorp/f-tls-remove-weak-standards
Configurable TLS cipher suites and versions; disallow weak ciphers
This commit is contained in:
commit
687c26093c
|
@ -9,6 +9,8 @@ IMPROVEMENTS:
|
|||
image pulls [[GH-4192](https://github.com/hashicorp/nomad/issues/4192)]
|
||||
* env: Default interpolation of optional meta fields of parameterized jobs to
|
||||
an empty string rather than the field key. [[GH-3720](https://github.com/hashicorp/nomad/issues/3720)]
|
||||
* core: Add the option for operators to configure TLS versions and allowed
|
||||
cipher suites. Default is a subset of safe ciphers and TLS 1.2 [[GH-4269](https://github.com/hashicorp/nomad/pull/4269)]
|
||||
* core: Add a new [progress_deadline](https://www.nomadproject.io/docs/job-specification/update.html#progress_deadline) parameter to
|
||||
support rescheduling failed allocations during a deployment. This allows operators to specify a configurable deadline before which
|
||||
a deployment should see healthy allocations [[GH-4259](https://github.com/hashicorp/nomad/issues/4259)]
|
||||
|
|
|
@ -399,11 +399,16 @@ func (c *Client) init() error {
|
|||
func (c *Client) reloadTLSConnections(newConfig *nconfig.TLSConfig) error {
|
||||
var tlsWrap tlsutil.RegionWrapper
|
||||
if newConfig != nil && newConfig.EnableRPC {
|
||||
tw, err := tlsutil.NewTLSConfiguration(newConfig).OutgoingTLSWrapper()
|
||||
tw, err := tlsutil.NewTLSConfiguration(newConfig)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
tlsWrap = tw
|
||||
|
||||
twWrap, err := tw.OutgoingTLSWrapper()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
tlsWrap = twWrap
|
||||
}
|
||||
|
||||
// Store the new tls wrapper.
|
||||
|
|
|
@ -13,6 +13,7 @@ import (
|
|||
"github.com/hashicorp/hcl"
|
||||
"github.com/hashicorp/hcl/hcl/ast"
|
||||
"github.com/hashicorp/nomad/helper"
|
||||
"github.com/hashicorp/nomad/helper/tlsutil"
|
||||
"github.com/hashicorp/nomad/nomad/structs/config"
|
||||
"github.com/mitchellh/mapstructure"
|
||||
)
|
||||
|
@ -760,6 +761,8 @@ func parseTLSConfig(result **config.TLSConfig, list *ast.ObjectList) error {
|
|||
"cert_file",
|
||||
"key_file",
|
||||
"verify_https_client",
|
||||
"tls_cipher_suites",
|
||||
"tls_min_version",
|
||||
}
|
||||
|
||||
if err := helper.CheckHCLKeys(listVal, valid); err != nil {
|
||||
|
@ -776,6 +779,14 @@ func parseTLSConfig(result **config.TLSConfig, list *ast.ObjectList) error {
|
|||
return err
|
||||
}
|
||||
|
||||
if _, err := tlsutil.ParseCiphers(tlsConfig.TLSCipherSuites); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if _, err := tlsutil.ParseMinVersion(tlsConfig.TLSMinVersion); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
*result = &tlsConfig
|
||||
return nil
|
||||
}
|
||||
|
|
|
@ -6,11 +6,46 @@ import (
|
|||
"fmt"
|
||||
"io/ioutil"
|
||||
"net"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/hashicorp/nomad/nomad/structs/config"
|
||||
)
|
||||
|
||||
// supportedTLSVersions are the current TLS versions that Nomad supports
|
||||
var supportedTLSVersions = map[string]uint16{
|
||||
"tls10": tls.VersionTLS10,
|
||||
"tls11": tls.VersionTLS11,
|
||||
"tls12": tls.VersionTLS12,
|
||||
}
|
||||
|
||||
// supportedTLSCiphers are the complete list of TLS ciphers supported by Nomad
|
||||
var supportedTLSCiphers = map[string]uint16{
|
||||
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305": tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
|
||||
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305": tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
|
||||
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
||||
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
||||
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256": tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
|
||||
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
|
||||
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
|
||||
"TLS_RSA_WITH_AES_128_GCM_SHA256": tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
|
||||
"TLS_RSA_WITH_AES_256_GCM_SHA384": tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
|
||||
"TLS_RSA_WITH_AES_128_CBC_SHA256": tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
|
||||
"TLS_RSA_WITH_AES_128_CBC_SHA": tls.TLS_RSA_WITH_AES_128_CBC_SHA,
|
||||
"TLS_RSA_WITH_AES_256_CBC_SHA": tls.TLS_RSA_WITH_AES_256_CBC_SHA,
|
||||
}
|
||||
|
||||
// defaultTLSCiphers are the TLS Ciphers that are supported by default
|
||||
var defaultTLSCiphers = []string{"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
|
||||
}
|
||||
|
||||
// RegionSpecificWrapper is used to invoke a static Region and turns a
|
||||
// RegionWrapper into a Wrapper type.
|
||||
func RegionSpecificWrapper(region string, tlsWrap RegionWrapper) Wrapper {
|
||||
|
@ -65,9 +100,26 @@ type Config struct {
|
|||
|
||||
// KeyLoader dynamically reloads TLS configuration.
|
||||
KeyLoader *config.KeyLoader
|
||||
|
||||
// CipherSuites have a default safe configuration, or operators can override
|
||||
// these values for acceptable safe alternatives.
|
||||
CipherSuites []uint16
|
||||
|
||||
// MinVersion contains the minimum SSL/TLS version that is accepted.
|
||||
MinVersion uint16
|
||||
}
|
||||
|
||||
func NewTLSConfiguration(newConf *config.TLSConfig) (*Config, error) {
|
||||
ciphers, err := ParseCiphers(newConf.TLSCipherSuites)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
minVersion, err := ParseMinVersion(newConf.TLSMinVersion)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
func NewTLSConfiguration(newConf *config.TLSConfig) *Config {
|
||||
return &Config{
|
||||
VerifyIncoming: true,
|
||||
VerifyOutgoing: true,
|
||||
|
@ -76,7 +128,9 @@ func NewTLSConfiguration(newConf *config.TLSConfig) *Config {
|
|||
CertFile: newConf.CertFile,
|
||||
KeyFile: newConf.KeyFile,
|
||||
KeyLoader: newConf.GetKeyLoader(),
|
||||
}
|
||||
CipherSuites: ciphers,
|
||||
MinVersion: minVersion,
|
||||
}, nil
|
||||
}
|
||||
|
||||
// AppendCA opens and parses the CA file and adds the certificates to
|
||||
|
@ -132,6 +186,8 @@ func (c *Config) OutgoingTLSConfig() (*tls.Config, error) {
|
|||
tlsConfig := &tls.Config{
|
||||
RootCAs: x509.NewCertPool(),
|
||||
InsecureSkipVerify: true,
|
||||
CipherSuites: c.CipherSuites,
|
||||
MinVersion: c.MinVersion,
|
||||
}
|
||||
if c.VerifyServerHostname {
|
||||
tlsConfig.InsecureSkipVerify = false
|
||||
|
@ -250,6 +306,8 @@ func (c *Config) IncomingTLSConfig() (*tls.Config, error) {
|
|||
tlsConfig := &tls.Config{
|
||||
ClientCAs: x509.NewCertPool(),
|
||||
ClientAuth: tls.NoClientCert,
|
||||
CipherSuites: c.CipherSuites,
|
||||
MinVersion: c.MinVersion,
|
||||
}
|
||||
|
||||
// Parse the CA cert if any
|
||||
|
@ -279,3 +337,42 @@ func (c *Config) IncomingTLSConfig() (*tls.Config, error) {
|
|||
|
||||
return tlsConfig, nil
|
||||
}
|
||||
|
||||
// ParseCiphers parses ciphersuites from the comma-separated string into
|
||||
// recognized slice
|
||||
func ParseCiphers(cipherStr string) ([]uint16, error) {
|
||||
suites := []uint16{}
|
||||
|
||||
cipherStr = strings.TrimSpace(cipherStr)
|
||||
|
||||
var ciphers []string
|
||||
if cipherStr == "" {
|
||||
ciphers = defaultTLSCiphers
|
||||
|
||||
} else {
|
||||
ciphers = strings.Split(cipherStr, ",")
|
||||
}
|
||||
for _, cipher := range ciphers {
|
||||
c, ok := supportedTLSCiphers[cipher]
|
||||
if !ok {
|
||||
return suites, fmt.Errorf("unsupported TLS cipher %q", cipher)
|
||||
}
|
||||
suites = append(suites, c)
|
||||
}
|
||||
|
||||
return suites, nil
|
||||
}
|
||||
|
||||
// ParseMinVersion parses the specified minimum TLS version for the Nomad agent
|
||||
func ParseMinVersion(version string) (uint16, error) {
|
||||
if version == "" {
|
||||
return supportedTLSVersions["tls12"], nil
|
||||
}
|
||||
|
||||
vers, ok := supportedTLSVersions[version]
|
||||
if !ok {
|
||||
return 0, fmt.Errorf("unsupported TLS version %q", version)
|
||||
}
|
||||
|
||||
return vers, nil
|
||||
}
|
||||
|
|
|
@ -3,14 +3,17 @@ package tlsutil
|
|||
import (
|
||||
"crypto/tls"
|
||||
"crypto/x509"
|
||||
"fmt"
|
||||
"io"
|
||||
"io/ioutil"
|
||||
"net"
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
"github.com/hashicorp/nomad/nomad/structs/config"
|
||||
"github.com/hashicorp/yamux"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
)
|
||||
|
||||
const (
|
||||
|
@ -412,3 +415,119 @@ func TestConfig_IncomingTLS_NoVerify(t *testing.T) {
|
|||
t.Fatalf("unexpected client cert")
|
||||
}
|
||||
}
|
||||
|
||||
func TestConfig_ParseCiphers_Valid(t *testing.T) {
|
||||
require := require.New(t)
|
||||
|
||||
validCiphers := strings.Join([]string{
|
||||
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
|
||||
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
|
||||
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
|
||||
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
|
||||
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
|
||||
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
|
||||
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
|
||||
"TLS_RSA_WITH_AES_128_GCM_SHA256",
|
||||
"TLS_RSA_WITH_AES_256_GCM_SHA384",
|
||||
"TLS_RSA_WITH_AES_128_CBC_SHA256",
|
||||
"TLS_RSA_WITH_AES_128_CBC_SHA",
|
||||
"TLS_RSA_WITH_AES_256_CBC_SHA",
|
||||
}, ",")
|
||||
|
||||
expectedCiphers := []uint16{
|
||||
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
|
||||
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
|
||||
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
||||
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
||||
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
||||
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
||||
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
|
||||
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
|
||||
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
|
||||
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
|
||||
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
|
||||
tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
|
||||
tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
|
||||
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
|
||||
tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
|
||||
tls.TLS_RSA_WITH_AES_128_CBC_SHA,
|
||||
tls.TLS_RSA_WITH_AES_256_CBC_SHA,
|
||||
}
|
||||
|
||||
parsedCiphers, err := ParseCiphers(validCiphers)
|
||||
require.Nil(err)
|
||||
require.Equal(parsedCiphers, expectedCiphers)
|
||||
}
|
||||
|
||||
func TestConfig_ParseCiphers_Default(t *testing.T) {
|
||||
require := require.New(t)
|
||||
|
||||
expectedCiphers := []uint16{
|
||||
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
|
||||
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
||||
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
||||
}
|
||||
|
||||
parsedCiphers, err := ParseCiphers("")
|
||||
require.Nil(err)
|
||||
require.Equal(parsedCiphers, expectedCiphers)
|
||||
}
|
||||
|
||||
func TestConfig_ParseCiphers_Invalid(t *testing.T) {
|
||||
require := require.New(t)
|
||||
|
||||
invalidCiphers := []string{"TLS_RSA_WITH_3DES_EDE_CBC_SHA",
|
||||
"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
|
||||
"TLS_RSA_WITH_RC4_128_SHA",
|
||||
"TLS_ECDHE_RSA_WITH_RC4_128_SHA",
|
||||
"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
|
||||
}
|
||||
|
||||
for _, cipher := range invalidCiphers {
|
||||
parsedCiphers, err := ParseCiphers(cipher)
|
||||
require.NotNil(err)
|
||||
require.Equal(fmt.Sprintf("unsupported TLS cipher %q", cipher), err.Error())
|
||||
require.Equal(0, len(parsedCiphers))
|
||||
}
|
||||
}
|
||||
|
||||
func TestConfig_ParseMinVersion_Valid(t *testing.T) {
|
||||
require := require.New(t)
|
||||
|
||||
validVersions := []string{"tls10",
|
||||
"tls11",
|
||||
"tls12",
|
||||
}
|
||||
|
||||
expected := map[string]uint16{
|
||||
"tls10": tls.VersionTLS10,
|
||||
"tls11": tls.VersionTLS11,
|
||||
"tls12": tls.VersionTLS12,
|
||||
}
|
||||
|
||||
for _, version := range validVersions {
|
||||
parsedVersion, err := ParseMinVersion(version)
|
||||
require.Nil(err)
|
||||
require.Equal(expected[version], parsedVersion)
|
||||
}
|
||||
}
|
||||
|
||||
func TestConfig_ParseMinVersion_Invalid(t *testing.T) {
|
||||
require := require.New(t)
|
||||
|
||||
invalidVersions := []string{"tls13",
|
||||
"tls15",
|
||||
}
|
||||
|
||||
for _, version := range invalidVersions {
|
||||
parsedVersion, err := ParseMinVersion(version)
|
||||
require.NotNil(err)
|
||||
require.Equal(fmt.Sprintf("unsupported TLS version %q", version), err.Error())
|
||||
require.Equal(uint16(0), parsedVersion)
|
||||
}
|
||||
}
|
||||
|
|
|
@ -450,7 +450,12 @@ func (s *Server) reloadTLSConnections(newTLSConfig *config.TLSConfig) error {
|
|||
return fmt.Errorf("can't reload uninitialized RPC listener")
|
||||
}
|
||||
|
||||
tlsConf := tlsutil.NewTLSConfiguration(newTLSConfig)
|
||||
tlsConf, err := tlsutil.NewTLSConfiguration(newTLSConfig)
|
||||
if err != nil {
|
||||
s.logger.Printf("[ERR] nomad: unable to create TLS configuration %s", err)
|
||||
return err
|
||||
}
|
||||
|
||||
incomingTLS, tlsWrap, err := getTLSConf(newTLSConfig.EnableRPC, tlsConf)
|
||||
if err != nil {
|
||||
s.logger.Printf("[ERR] nomad: unable to reset TLS context %s", err)
|
||||
|
|
|
@ -55,6 +55,14 @@ type TLSConfig struct {
|
|||
// Checksum is a MD5 hash of the certificate CA File, Certificate file, and
|
||||
// key file.
|
||||
Checksum string
|
||||
|
||||
// TLSCipherSuites are operator-defined ciphers to be used in Nomad TLS
|
||||
// connections
|
||||
TLSCipherSuites string `mapstructure:"tls_cipher_suites"`
|
||||
|
||||
// TLSMinVersion is used to set the minimum TLS version used for TLS
|
||||
// connections. Should be either "tls10", "tls11", or "tls12".
|
||||
TLSMinVersion string `mapstructure:"tls_min_version"`
|
||||
}
|
||||
|
||||
type KeyLoader struct {
|
||||
|
@ -147,6 +155,9 @@ func (t *TLSConfig) Copy() *TLSConfig {
|
|||
new.RPCUpgradeMode = t.RPCUpgradeMode
|
||||
new.VerifyHTTPSClient = t.VerifyHTTPSClient
|
||||
|
||||
new.TLSCipherSuites = t.TLSCipherSuites
|
||||
new.TLSMinVersion = t.TLSMinVersion
|
||||
|
||||
new.SetChecksum()
|
||||
|
||||
return new
|
||||
|
|
|
@ -174,6 +174,7 @@ func TestTLS_Copy(t *testing.T) {
|
|||
CAFile: cafile,
|
||||
CertFile: foocert,
|
||||
KeyFile: fookey,
|
||||
TLSCipherSuites: "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
|
||||
}
|
||||
a.SetChecksum()
|
||||
|
||||
|
|
|
@ -58,6 +58,15 @@ the [Agent's Gossip and RPC Encryption](/docs/agent/encryption.html).
|
|||
cluster is being upgraded to TLS, and removed after the migration is
|
||||
complete. This allows the agent to accept both TLS and plaintext traffic.
|
||||
|
||||
- `tls_cipher_suites` - Specifies the TLS cipher suites that will be used by
|
||||
the agent. Known insecure ciphers are disabled (3DES and RC4). By default,
|
||||
an agent is configured to use TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
|
||||
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, and
|
||||
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384.
|
||||
|
||||
- `tls_min_version` - Specifies the minimum supported version of TLS. Accepted
|
||||
values are "tls10", "tls11", "tls12". Defaults to TLS 1.2.
|
||||
|
||||
- `verify_https_client` `(bool: false)` - Specifies agents should require
|
||||
client certificates for all incoming HTTPS requests. The client certificates
|
||||
must be signed by the same CA as Nomad.
|
||||
|
|
Loading…
Reference in a new issue