mirror of https://github.com/status-im/consul.git
Merge pull request #3962 from canterberry/upgrade/tls-cipher-suites
🔒 Update supported TLS cipher suites
This commit is contained in:
commit
a8f7681c70
|
@ -1107,23 +1107,28 @@ type RuntimeConfig struct {
|
||||||
//
|
//
|
||||||
// The values should be a list of the following values:
|
// The values should be a list of the following values:
|
||||||
//
|
//
|
||||||
// TLS_RSA_WITH_RC4_128_SHA
|
// TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
|
||||||
// TLS_RSA_WITH_3DES_EDE_CBC_SHA
|
// TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
|
||||||
// TLS_RSA_WITH_AES_128_CBC_SHA
|
|
||||||
// TLS_RSA_WITH_AES_256_CBC_SHA
|
|
||||||
// TLS_RSA_WITH_AES_128_GCM_SHA256
|
|
||||||
// TLS_RSA_WITH_AES_256_GCM_SHA384
|
|
||||||
// TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
|
|
||||||
// TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
|
|
||||||
// TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
|
|
||||||
// TLS_ECDHE_RSA_WITH_RC4_128_SHA
|
|
||||||
// TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
|
|
||||||
// TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
|
|
||||||
// TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
|
|
||||||
// TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
// TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
||||||
// TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
|
// TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
|
||||||
// TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
// TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
||||||
// TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
|
// TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
|
||||||
|
// TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
|
||||||
|
// TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
|
||||||
|
// TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
|
||||||
|
// TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
|
||||||
|
// TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
|
||||||
|
// TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
|
||||||
|
// TLS_RSA_WITH_AES_128_GCM_SHA256
|
||||||
|
// TLS_RSA_WITH_AES_256_GCM_SHA384
|
||||||
|
// TLS_RSA_WITH_AES_128_CBC_SHA256
|
||||||
|
// TLS_RSA_WITH_AES_128_CBC_SHA
|
||||||
|
// TLS_RSA_WITH_AES_256_CBC_SHA
|
||||||
|
// TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
|
||||||
|
// TLS_RSA_WITH_3DES_EDE_CBC_SHA
|
||||||
|
// TLS_RSA_WITH_RC4_128_SHA
|
||||||
|
// TLS_ECDHE_RSA_WITH_RC4_128_SHA
|
||||||
|
// TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
|
||||||
//
|
//
|
||||||
// todo(fs): IMHO, we should also support the raw 0xNNNN values from
|
// todo(fs): IMHO, we should also support the raw 0xNNNN values from
|
||||||
// todo(fs): https://golang.org/pkg/crypto/tls/#pkg-constants
|
// todo(fs): https://golang.org/pkg/crypto/tls/#pkg-constants
|
||||||
|
|
|
@ -2581,7 +2581,7 @@ func TestFullConfig(t *testing.T) {
|
||||||
"statsd_address": "drce87cy",
|
"statsd_address": "drce87cy",
|
||||||
"statsite_address": "HpFwKB8R"
|
"statsite_address": "HpFwKB8R"
|
||||||
},
|
},
|
||||||
"tls_cipher_suites": "TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA",
|
"tls_cipher_suites": "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
|
||||||
"tls_min_version": "pAOWafkR",
|
"tls_min_version": "pAOWafkR",
|
||||||
"tls_prefer_server_cipher_suites": true,
|
"tls_prefer_server_cipher_suites": true,
|
||||||
"translate_wan_addrs": true,
|
"translate_wan_addrs": true,
|
||||||
|
@ -3017,7 +3017,7 @@ func TestFullConfig(t *testing.T) {
|
||||||
statsd_address = "drce87cy"
|
statsd_address = "drce87cy"
|
||||||
statsite_address = "HpFwKB8R"
|
statsite_address = "HpFwKB8R"
|
||||||
}
|
}
|
||||||
tls_cipher_suites = "TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA"
|
tls_cipher_suites = "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
|
||||||
tls_min_version = "pAOWafkR"
|
tls_min_version = "pAOWafkR"
|
||||||
tls_prefer_server_cipher_suites = true
|
tls_prefer_server_cipher_suites = true
|
||||||
translate_wan_addrs = true
|
translate_wan_addrs = true
|
||||||
|
@ -3575,7 +3575,7 @@ func TestFullConfig(t *testing.T) {
|
||||||
TelemetryMetricsPrefix: "ftO6DySn",
|
TelemetryMetricsPrefix: "ftO6DySn",
|
||||||
TelemetryStatsdAddr: "drce87cy",
|
TelemetryStatsdAddr: "drce87cy",
|
||||||
TelemetryStatsiteAddr: "HpFwKB8R",
|
TelemetryStatsiteAddr: "HpFwKB8R",
|
||||||
TLSCipherSuites: []uint16{tls.TLS_RSA_WITH_RC4_128_SHA, tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA},
|
TLSCipherSuites: []uint16{tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384},
|
||||||
TLSMinVersion: "pAOWafkR",
|
TLSMinVersion: "pAOWafkR",
|
||||||
TLSPreferServerCipherSuites: true,
|
TLSPreferServerCipherSuites: true,
|
||||||
TaggedAddresses: map[string]string{
|
TaggedAddresses: map[string]string{
|
||||||
|
|
|
@ -770,7 +770,7 @@ func TestServer_RevokeLeadershipIdempotent(t *testing.T) {
|
||||||
|
|
||||||
testrpc.WaitForLeader(t, s1.RPC, "dc1")
|
testrpc.WaitForLeader(t, s1.RPC, "dc1")
|
||||||
|
|
||||||
err:= s1.revokeLeadership()
|
err := s1.revokeLeadership()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatal(err)
|
t.Fatal(err)
|
||||||
}
|
}
|
||||||
|
|
|
@ -361,23 +361,28 @@ func ParseCiphers(cipherStr string) ([]uint16, error) {
|
||||||
ciphers := strings.Split(cipherStr, ",")
|
ciphers := strings.Split(cipherStr, ",")
|
||||||
|
|
||||||
cipherMap := map[string]uint16{
|
cipherMap := map[string]uint16{
|
||||||
"TLS_RSA_WITH_RC4_128_SHA": tls.TLS_RSA_WITH_RC4_128_SHA,
|
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305": tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
|
||||||
"TLS_RSA_WITH_3DES_EDE_CBC_SHA": tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
|
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305": tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
|
||||||
"TLS_RSA_WITH_AES_128_CBC_SHA": tls.TLS_RSA_WITH_AES_128_CBC_SHA,
|
|
||||||
"TLS_RSA_WITH_AES_256_CBC_SHA": tls.TLS_RSA_WITH_AES_256_CBC_SHA,
|
|
||||||
"TLS_RSA_WITH_AES_128_GCM_SHA256": tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
|
|
||||||
"TLS_RSA_WITH_AES_256_GCM_SHA384": tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
|
|
||||||
"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA": tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
|
|
||||||
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
|
|
||||||
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
|
|
||||||
"TLS_ECDHE_RSA_WITH_RC4_128_SHA": tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA,
|
|
||||||
"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
|
|
||||||
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
|
|
||||||
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
|
|
||||||
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
||||||
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
||||||
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
||||||
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
||||||
|
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256": tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
|
||||||
|
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
|
||||||
|
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
|
||||||
|
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
|
||||||
|
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
|
||||||
|
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
|
||||||
|
"TLS_RSA_WITH_AES_128_GCM_SHA256": tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
|
||||||
|
"TLS_RSA_WITH_AES_256_GCM_SHA384": tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
|
||||||
|
"TLS_RSA_WITH_AES_128_CBC_SHA256": tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
|
||||||
|
"TLS_RSA_WITH_AES_128_CBC_SHA": tls.TLS_RSA_WITH_AES_128_CBC_SHA,
|
||||||
|
"TLS_RSA_WITH_AES_256_CBC_SHA": tls.TLS_RSA_WITH_AES_256_CBC_SHA,
|
||||||
|
"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
|
||||||
|
"TLS_RSA_WITH_3DES_EDE_CBC_SHA": tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
|
||||||
|
"TLS_RSA_WITH_RC4_128_SHA": tls.TLS_RSA_WITH_RC4_128_SHA,
|
||||||
|
"TLS_ECDHE_RSA_WITH_RC4_128_SHA": tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA,
|
||||||
|
"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA": tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
|
||||||
}
|
}
|
||||||
for _, cipher := range ciphers {
|
for _, cipher := range ciphers {
|
||||||
if v, ok := cipherMap[cipher]; ok {
|
if v, ok := cipherMap[cipher]; ok {
|
||||||
|
|
|
@ -513,32 +513,52 @@ func TestConfig_IncomingTLS_TLSMinVersion(t *testing.T) {
|
||||||
|
|
||||||
func TestConfig_ParseCiphers(t *testing.T) {
|
func TestConfig_ParseCiphers(t *testing.T) {
|
||||||
testOk := strings.Join([]string{
|
testOk := strings.Join([]string{
|
||||||
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
|
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
|
||||||
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
|
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
|
||||||
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
|
|
||||||
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
|
|
||||||
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
|
|
||||||
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
|
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
|
||||||
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
|
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
|
||||||
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
|
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
|
||||||
"TLS_RSA_WITH_AES_128_CBC_SHA",
|
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
|
||||||
|
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
|
||||||
|
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
|
||||||
|
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
|
||||||
|
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
|
||||||
|
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
|
||||||
|
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
|
||||||
"TLS_RSA_WITH_AES_128_GCM_SHA256",
|
"TLS_RSA_WITH_AES_128_GCM_SHA256",
|
||||||
"TLS_RSA_WITH_AES_256_CBC_SHA",
|
|
||||||
"TLS_RSA_WITH_AES_256_GCM_SHA384",
|
"TLS_RSA_WITH_AES_256_GCM_SHA384",
|
||||||
|
"TLS_RSA_WITH_AES_128_CBC_SHA256",
|
||||||
|
"TLS_RSA_WITH_AES_128_CBC_SHA",
|
||||||
|
"TLS_RSA_WITH_AES_256_CBC_SHA",
|
||||||
|
"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
|
||||||
|
"TLS_RSA_WITH_3DES_EDE_CBC_SHA",
|
||||||
|
"TLS_RSA_WITH_RC4_128_SHA",
|
||||||
|
"TLS_ECDHE_RSA_WITH_RC4_128_SHA",
|
||||||
|
"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
|
||||||
}, ",")
|
}, ",")
|
||||||
ciphers := []uint16{
|
ciphers := []uint16{
|
||||||
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
|
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
|
||||||
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
|
||||||
tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
|
|
||||||
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
|
||||||
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
|
|
||||||
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
||||||
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
||||||
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
||||||
tls.TLS_RSA_WITH_AES_128_CBC_SHA,
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
||||||
|
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
|
||||||
|
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
|
||||||
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
|
||||||
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
|
||||||
|
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
|
||||||
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
|
||||||
tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
|
tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
|
||||||
tls.TLS_RSA_WITH_AES_256_CBC_SHA,
|
|
||||||
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
|
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
|
||||||
|
tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
|
||||||
|
tls.TLS_RSA_WITH_AES_128_CBC_SHA,
|
||||||
|
tls.TLS_RSA_WITH_AES_256_CBC_SHA,
|
||||||
|
tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
|
||||||
|
tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
|
||||||
|
tls.TLS_RSA_WITH_RC4_128_SHA,
|
||||||
|
tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA,
|
||||||
|
tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
|
||||||
}
|
}
|
||||||
v, err := ParseCiphers(testOk)
|
v, err := ParseCiphers(testOk)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
Loading…
Reference in New Issue