Merge pull request #4338 from hashicorp/tls_prefer_server_cipher_suites

Add support for tls PreferServerCipherSuites

CHANGELOG.md

@@ -2,6 +2,7 @@
 
 IMPROVEMENTS:
  * core: Updated serf library to improve how leave intents are handled [[GH-4278](https://github.com/hashicorp/nomad/issues/4278)]
+ * core: Added TLS configuration option to prefer server's ciphersuites over clients[[GH-4338](https://github.com/hashicorp/nomad/issues/4338)]
  * core: Add the option for operators to configure TLS versions and allowed
    cipher suites. Default is a subset of safe ciphers and TLS 1.2 [[GH-4269](https://github.com/hashicorp/nomad/pull/4269)]
  * core: Add a new [progress_deadline](https://www.nomadproject.io/docs/job-specification/update.html#progress_deadline) parameter to

command/agent/config-test-fixtures/basic.hcl

@@ -156,6 +156,9 @@ tls {
     key_file = "pipe"
     rpc_upgrade_mode = true
     verify_https_client = true
+    tls_prefer_server_cipher_suites = true
+    tls_cipher_suites = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
+    tls_min_version = "tls12"
 }
 sentinel {
     import "foo" {

command/agent/config_parse.go

@@ -763,6 +763,7 @@ func parseTLSConfig(result **config.TLSConfig, list *ast.ObjectList) error {
 		"verify_https_client",
 		"tls_cipher_suites",
 		"tls_min_version",
+		"tls_prefer_server_cipher_suites",
 	}
 
 	if err := helper.CheckHCLKeys(listVal, valid); err != nil {

command/agent/config_parse_test.go

@@ -175,6 +175,9 @@ func TestConfig_Parse(t *testing.T) {
 					KeyFile:                     "pipe",
 					RPCUpgradeMode:              true,
 					VerifyHTTPSClient:           true,
+					TLSPreferServerCipherSuites: true,
+					TLSCipherSuites:             "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+					TLSMinVersion:               "tls12",
 				},
 				HTTPAPIResponseHeaders: map[string]string{
 					"Access-Control-Allow-Origin": "*",

helper/tlsutil/config.go

@@ -105,6 +105,12 @@ type Config struct {
 	// these values for acceptable safe alternatives.
 	CipherSuites []uint16
 
+	// PreferServerCipherSuites controls whether the server selects the
+	// client's most preferred ciphersuite, or the server's most preferred
+	// ciphersuite. If true then the server's preference, as expressed in
+	// the order of elements in CipherSuites, is used.
+	PreferServerCipherSuites bool
+
 	// MinVersion contains the minimum SSL/TLS version that is accepted.
 	MinVersion uint16
 }
@@ -130,6 +136,7 @@ func NewTLSConfiguration(newConf *config.TLSConfig, verifyIncoming, verifyOutgoi
 		KeyLoader:                newConf.GetKeyLoader(),
 		CipherSuites:             ciphers,
 		MinVersion:               minVersion,
+		PreferServerCipherSuites: newConf.TLSPreferServerCipherSuites,
 	}, nil
 }
 
@@ -188,6 +195,7 @@ func (c *Config) OutgoingTLSConfig() (*tls.Config, error) {
 		InsecureSkipVerify:       true,
 		CipherSuites:             c.CipherSuites,
 		MinVersion:               c.MinVersion,
+		PreferServerCipherSuites: c.PreferServerCipherSuites,
 	}
 	if c.VerifyServerHostname {
 		tlsConfig.InsecureSkipVerify = false
@@ -308,6 +316,7 @@ func (c *Config) IncomingTLSConfig() (*tls.Config, error) {
 		ClientAuth:               tls.NoClientCert,
 		CipherSuites:             c.CipherSuites,
 		MinVersion:               c.MinVersion,
+		PreferServerCipherSuites: c.PreferServerCipherSuites,
 	}
 
 	// Parse the CA cert if any

helper/tlsutil/config_test.go

@@ -167,6 +167,60 @@ func TestConfig_OutgoingTLS_WithKeyPair(t *testing.T) {
 	assert.NotNil(cert)
 }
 
+func TestConfig_OutgoingTLS_PreferServerCipherSuites(t *testing.T) {
+	require := require.New(t)
+
+	{
+		conf := &Config{
+			VerifyOutgoing: true,
+			CAFile:         cacert,
+		}
+		tlsConfig, err := conf.OutgoingTLSConfig()
+		require.Nil(err)
+		require.Equal(tlsConfig.PreferServerCipherSuites, false)
+	}
+	{
+		conf := &Config{
+			VerifyOutgoing: true,
+			CAFile:         cacert,
+			PreferServerCipherSuites: true,
+		}
+		tlsConfig, err := conf.OutgoingTLSConfig()
+		require.Nil(err)
+		require.Equal(tlsConfig.PreferServerCipherSuites, true)
+	}
+}
+
+func TestConfig_OutgoingTLS_TLSCipherSuites(t *testing.T) {
+	require := require.New(t)
+
+	{
+		defaultCiphers := []uint16{
+			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+		}
+		conf := &Config{
+			VerifyOutgoing: true,
+			CAFile:         cacert,
+			CipherSuites:   defaultCiphers,
+		}
+		tlsConfig, err := conf.OutgoingTLSConfig()
+		require.Nil(err)
+		require.Equal(tlsConfig.CipherSuites, defaultCiphers)
+	}
+	{
+		conf := &Config{
+			VerifyOutgoing: true,
+			CAFile:         cacert,
+			CipherSuites:   []uint16{tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305},
+		}
+		tlsConfig, err := conf.OutgoingTLSConfig()
+		require.Nil(err)
+		require.Equal(tlsConfig.CipherSuites, []uint16{tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305})
+	}
+}
+
 func startTLSServer(config *Config) (net.Conn, chan error) {
 	errc := make(chan error, 1)
 
@@ -416,6 +470,51 @@ func TestConfig_IncomingTLS_NoVerify(t *testing.T) {
 	}
 }
 
+func TestConfig_IncomingTLS_PreferServerCipherSuites(t *testing.T) {
+	require := require.New(t)
+
+	{
+		conf := &Config{}
+		tlsConfig, err := conf.IncomingTLSConfig()
+		require.Nil(err)
+		require.Equal(tlsConfig.PreferServerCipherSuites, false)
+	}
+	{
+		conf := &Config{
+			PreferServerCipherSuites: true,
+		}
+		tlsConfig, err := conf.IncomingTLSConfig()
+		require.Nil(err)
+		require.Equal(tlsConfig.PreferServerCipherSuites, true)
+	}
+}
+
+func TestConfig_IncomingTLS_TLSCipherSuites(t *testing.T) {
+	require := require.New(t)
+
+	{
+		defaultCiphers := []uint16{
+			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+		}
+		conf := &Config{
+			CipherSuites: defaultCiphers,
+		}
+		tlsConfig, err := conf.IncomingTLSConfig()
+		require.Nil(err)
+		require.Equal(tlsConfig.CipherSuites, defaultCiphers)
+	}
+	{
+		conf := &Config{
+			CipherSuites: []uint16{tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305},
+		}
+		tlsConfig, err := conf.IncomingTLSConfig()
+		require.Nil(err)
+		require.Equal(tlsConfig.CipherSuites, []uint16{tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305})
+	}
+}
+
 func TestConfig_ParseCiphers_Valid(t *testing.T) {
 	require := require.New(t)
 

nomad/structs/config/tls.go

@@ -63,6 +63,12 @@ type TLSConfig struct {
 	// TLSMinVersion is used to set the minimum TLS version used for TLS
 	// connections. Should be either "tls10", "tls11", or "tls12".
 	TLSMinVersion string `mapstructure:"tls_min_version"`
+
+	// TLSPreferServerCipherSuites controls whether the server selects the
+	// client's most preferred ciphersuite, or the server's most preferred
+	// ciphersuite. If true then the server's preference, as expressed in
+	// the order of elements in CipherSuites, is used.
+	TLSPreferServerCipherSuites bool `mapstructure:"tls_prefer_server_cipher_suites"`
 }
 
 type KeyLoader struct {
@@ -158,6 +164,8 @@ func (t *TLSConfig) Copy() *TLSConfig {
 	new.TLSCipherSuites = t.TLSCipherSuites
 	new.TLSMinVersion = t.TLSMinVersion
 
+	new.TLSPreferServerCipherSuites = t.TLSPreferServerCipherSuites
+
 	new.SetChecksum()
 
 	return new
@@ -211,6 +219,9 @@ func (t *TLSConfig) Merge(b *TLSConfig) *TLSConfig {
 	if b.TLSMinVersion != "" {
 		result.TLSMinVersion = b.TLSMinVersion
 	}
+	if b.TLSPreferServerCipherSuites {
+		result.TLSPreferServerCipherSuites = true
+	}
 	return result
 }
 

nomad/structs/config/tls_test.go

@@ -23,6 +23,7 @@ func TestTLSConfig_Merge(t *testing.T) {
 		RPCUpgradeMode:              true,
 		TLSCipherSuites:             "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
 		TLSMinVersion:               "tls12",
+		TLSPreferServerCipherSuites: true,
 	}
 
 	new := a.Merge(b)
@@ -177,6 +178,8 @@ func TestTLS_Copy(t *testing.T) {
 		CertFile:                    foocert,
 		KeyFile:                     fookey,
 		TLSCipherSuites:             "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+		TLSMinVersion:               "tls12",
+		TLSPreferServerCipherSuites: true,
 	}
 	a.SetChecksum()
 

website/source/docs/agent/configuration/tls.html.md

@@ -58,14 +58,18 @@ the [Agent's Gossip and RPC Encryption](/docs/agent/encryption.html).
   cluster is being upgraded to TLS, and removed after the migration is
   complete. This allows the agent to accept both TLS and plaintext traffic.
 
-- `tls_cipher_suites` - Specifies the TLS cipher suites that will be used by
+- `tls_cipher_suites` `(array<string>: [])` - Specifies the TLS cipher suites
-  the agent. Known insecure ciphers are disabled (3DES and RC4). By default,
+  that will be used by the agent. Known insecure ciphers are disabled (3DES and
-  an agent is configured to use TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+  RC4). By default, an agent is configured to use
+  TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
   TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, and
   TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384.
 
-- `tls_min_version` - Specifies the minimum supported version of TLS. Accepted
+- `tls_min_version` `(string: "tls12")`- Specifies the minimum supported version
-  values are "tls10", "tls11", "tls12". Defaults to TLS 1.2.
+  of TLS. Accepted values are "tls10", "tls11", "tls12".
+
+- `tls_prefer_server_cipher_suites` `(bool: false)` - Specifies whether
+  TLS connections should prefer the server's ciphersuites over the client's.
 
 - `verify_https_client` `(bool: false)` - Specifies agents should require
   client certificates for all incoming HTTPS requests. The client certificates