Merge pull request #4338 from hashicorp/tls_prefer_server_cipher_suites

Add support for tls PreferServerCipherSuites
2018-05-30 17:25:17 +00:00 · 2018-05-30 17:25:17 +00:00 · ad3dbe8ed0
parent e96a4af694 c7d3dc476e
commit ad3dbe8ed0
9 changed files with 176 additions and 42 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -2,6 +2,7 @@

 IMPROVEMENTS:
 * core: Updated serf library to improve how leave intents are handled [[GH-4278](https://github.com/hashicorp/nomad/issues/4278)]
+ * core: Added TLS configuration option to prefer server's ciphersuites over clients[[GH-4338](https://github.com/hashicorp/nomad/issues/4338)]
 * core: Add the option for operators to configure TLS versions and allowed
   cipher suites. Default is a subset of safe ciphers and TLS 1.2 [[GH-4269](https://github.com/hashicorp/nomad/pull/4269)]
 * core: Add a new [progress_deadline](https://www.nomadproject.io/docs/job-specification/update.html#progress_deadline) parameter to
--- a/command/agent/config-test-fixtures/basic.hcl
+++ b/command/agent/config-test-fixtures/basic.hcl
@ -156,6 +156,9 @@ tls {
    key_file = "pipe"
    rpc_upgrade_mode = true
    verify_https_client = true
+    tls_prefer_server_cipher_suites = true
+    tls_cipher_suites = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
+    tls_min_version = "tls12"
 }
 sentinel {
    import "foo" {
--- a/command/agent/config_parse.go
+++ b/command/agent/config_parse.go
@ -763,6 +763,7 @@ func parseTLSConfig(result **config.TLSConfig, list *ast.ObjectList) error {
 		"verify_https_client",
 		"tls_cipher_suites",
 		"tls_min_version",
+		"tls_prefer_server_cipher_suites",
 	}

 	if err := helper.CheckHCLKeys(listVal, valid); err != nil {
--- a/command/agent/config_parse_test.go
+++ b/command/agent/config_parse_test.go
@ -175,6 +175,9 @@ func TestConfig_Parse(t *testing.T) {
 					KeyFile:                     "pipe",
 					RPCUpgradeMode:              true,
 					VerifyHTTPSClient:           true,
+					TLSPreferServerCipherSuites: true,
+					TLSCipherSuites:             "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+					TLSMinVersion:               "tls12",
 				},
 				HTTPAPIResponseHeaders: map[string]string{
 					"Access-Control-Allow-Origin": "*",
--- a/helper/tlsutil/config.go
+++ b/helper/tlsutil/config.go
@ -105,6 +105,12 @@ type Config struct {
 	// these values for acceptable safe alternatives.
 	CipherSuites []uint16

+	// PreferServerCipherSuites controls whether the server selects the
+	// client's most preferred ciphersuite, or the server's most preferred
+	// ciphersuite. If true then the server's preference, as expressed in
+	// the order of elements in CipherSuites, is used.
+	PreferServerCipherSuites bool
+
 	// MinVersion contains the minimum SSL/TLS version that is accepted.
 	MinVersion uint16
 }
@ -130,6 +136,7 @@ func NewTLSConfiguration(newConf *config.TLSConfig, verifyIncoming, verifyOutgoi
 		KeyLoader:                newConf.GetKeyLoader(),
 		CipherSuites:             ciphers,
 		MinVersion:               minVersion,
+		PreferServerCipherSuites: newConf.TLSPreferServerCipherSuites,
 	}, nil
 }

@ -188,6 +195,7 @@ func (c *Config) OutgoingTLSConfig() (*tls.Config, error) {
 		InsecureSkipVerify:       true,
 		CipherSuites:             c.CipherSuites,
 		MinVersion:               c.MinVersion,
+		PreferServerCipherSuites: c.PreferServerCipherSuites,
 	}
 	if c.VerifyServerHostname {
 		tlsConfig.InsecureSkipVerify = false
@ -308,6 +316,7 @@ func (c *Config) IncomingTLSConfig() (*tls.Config, error) {
 		ClientAuth:               tls.NoClientCert,
 		CipherSuites:             c.CipherSuites,
 		MinVersion:               c.MinVersion,
+		PreferServerCipherSuites: c.PreferServerCipherSuites,
 	}

 	// Parse the CA cert if any
--- a/helper/tlsutil/config_test.go
+++ b/helper/tlsutil/config_test.go
@ -167,6 +167,60 @@ func TestConfig_OutgoingTLS_WithKeyPair(t *testing.T) {
 	assert.NotNil(cert)
 }

+func TestConfig_OutgoingTLS_PreferServerCipherSuites(t *testing.T) {
+	require := require.New(t)
+
+	{
+		conf := &Config{
+			VerifyOutgoing: true,
+			CAFile:         cacert,
+		}
+		tlsConfig, err := conf.OutgoingTLSConfig()
+		require.Nil(err)
+		require.Equal(tlsConfig.PreferServerCipherSuites, false)
+	}
+	{
+		conf := &Config{
+			VerifyOutgoing: true,
+			CAFile:         cacert,
+			PreferServerCipherSuites: true,
+		}
+		tlsConfig, err := conf.OutgoingTLSConfig()
+		require.Nil(err)
+		require.Equal(tlsConfig.PreferServerCipherSuites, true)
+	}
+}
+
+func TestConfig_OutgoingTLS_TLSCipherSuites(t *testing.T) {
+	require := require.New(t)
+
+	{
+		defaultCiphers := []uint16{
+			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+		}
+		conf := &Config{
+			VerifyOutgoing: true,
+			CAFile:         cacert,
+			CipherSuites:   defaultCiphers,
+		}
+		tlsConfig, err := conf.OutgoingTLSConfig()
+		require.Nil(err)
+		require.Equal(tlsConfig.CipherSuites, defaultCiphers)
+	}
+	{
+		conf := &Config{
+			VerifyOutgoing: true,
+			CAFile:         cacert,
+			CipherSuites:   []uint16{tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305},
+		}
+		tlsConfig, err := conf.OutgoingTLSConfig()
+		require.Nil(err)
+		require.Equal(tlsConfig.CipherSuites, []uint16{tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305})
+	}
+}
+
 func startTLSServer(config *Config) (net.Conn, chan error) {
 	errc := make(chan error, 1)

@ -416,6 +470,51 @@ func TestConfig_IncomingTLS_NoVerify(t *testing.T) {
 	}
 }

+func TestConfig_IncomingTLS_PreferServerCipherSuites(t *testing.T) {
+	require := require.New(t)
+
+	{
+		conf := &Config{}
+		tlsConfig, err := conf.IncomingTLSConfig()
+		require.Nil(err)
+		require.Equal(tlsConfig.PreferServerCipherSuites, false)
+	}
+	{
+		conf := &Config{
+			PreferServerCipherSuites: true,
+		}
+		tlsConfig, err := conf.IncomingTLSConfig()
+		require.Nil(err)
+		require.Equal(tlsConfig.PreferServerCipherSuites, true)
+	}
+}
+
+func TestConfig_IncomingTLS_TLSCipherSuites(t *testing.T) {
+	require := require.New(t)
+
+	{
+		defaultCiphers := []uint16{
+			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+		}
+		conf := &Config{
+			CipherSuites: defaultCiphers,
+		}
+		tlsConfig, err := conf.IncomingTLSConfig()
+		require.Nil(err)
+		require.Equal(tlsConfig.CipherSuites, defaultCiphers)
+	}
+	{
+		conf := &Config{
+			CipherSuites: []uint16{tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305},
+		}
+		tlsConfig, err := conf.IncomingTLSConfig()
+		require.Nil(err)
+		require.Equal(tlsConfig.CipherSuites, []uint16{tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305})
+	}
+}
+
 func TestConfig_ParseCiphers_Valid(t *testing.T) {
 	require := require.New(t)

--- a/nomad/structs/config/tls.go
+++ b/nomad/structs/config/tls.go
@ -63,6 +63,12 @@ type TLSConfig struct {
 	// TLSMinVersion is used to set the minimum TLS version used for TLS
 	// connections. Should be either "tls10", "tls11", or "tls12".
 	TLSMinVersion string `mapstructure:"tls_min_version"`
+
+	// TLSPreferServerCipherSuites controls whether the server selects the
+	// client's most preferred ciphersuite, or the server's most preferred
+	// ciphersuite. If true then the server's preference, as expressed in
+	// the order of elements in CipherSuites, is used.
+	TLSPreferServerCipherSuites bool `mapstructure:"tls_prefer_server_cipher_suites"`
 }

 type KeyLoader struct {
@ -158,6 +164,8 @@ func (t *TLSConfig) Copy() *TLSConfig {
 	new.TLSCipherSuites = t.TLSCipherSuites
 	new.TLSMinVersion = t.TLSMinVersion

+	new.TLSPreferServerCipherSuites = t.TLSPreferServerCipherSuites
+
 	new.SetChecksum()

 	return new
@ -211,6 +219,9 @@ func (t *TLSConfig) Merge(b *TLSConfig) *TLSConfig {
 	if b.TLSMinVersion != "" {
 		result.TLSMinVersion = b.TLSMinVersion
 	}
+	if b.TLSPreferServerCipherSuites {
+		result.TLSPreferServerCipherSuites = true
+	}
 	return result
 }

--- a/nomad/structs/config/tls_test.go
+++ b/nomad/structs/config/tls_test.go
@ -23,6 +23,7 @@ func TestTLSConfig_Merge(t *testing.T) {
 		RPCUpgradeMode:              true,
 		TLSCipherSuites:             "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
 		TLSMinVersion:               "tls12",
+		TLSPreferServerCipherSuites: true,
 	}

 	new := a.Merge(b)
@ -177,6 +178,8 @@ func TestTLS_Copy(t *testing.T) {
 		CertFile:                    foocert,
 		KeyFile:                     fookey,
 		TLSCipherSuites:             "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+		TLSMinVersion:               "tls12",
+		TLSPreferServerCipherSuites: true,
 	}
 	a.SetChecksum()

--- a/website/source/docs/agent/configuration/tls.html.md
+++ b/website/source/docs/agent/configuration/tls.html.md
@ -58,14 +58,18 @@ the [Agent's Gossip and RPC Encryption](/docs/agent/encryption.html).
  cluster is being upgraded to TLS, and removed after the migration is
  complete. This allows the agent to accept both TLS and plaintext traffic.

- `tls_cipher_suites` - Specifies the TLS cipher suites that will be used by
-  the agent. Known insecure ciphers are disabled (3DES and RC4). By default,
-  an agent is configured to use TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+- `tls_cipher_suites` `(array<string>: [])` - Specifies the TLS cipher suites
+  that will be used by the agent. Known insecure ciphers are disabled (3DES and
+  RC4). By default, an agent is configured to use
+  TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, and
  TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384.

- `tls_min_version` - Specifies the minimum supported version of TLS. Accepted
-  values are "tls10", "tls11", "tls12". Defaults to TLS 1.2.
+- `tls_min_version` `(string: "tls12")`- Specifies the minimum supported version
+  of TLS. Accepted values are "tls10", "tls11", "tls12".
+
+- `tls_prefer_server_cipher_suites` `(bool: false)` - Specifies whether
+  TLS connections should prefer the server's ciphersuites over the client's.

 - `verify_https_client` `(bool: false)` - Specifies agents should require
  client certificates for all incoming HTTPS requests. The client certificates