66 Commits

Author SHA1 Message Date
Hans Hasselberg
786b3b1095
Centralise tls configuration part 1 (#5366)
In order to be able to reload the TLS configuration, we need one way to generate the different configurations.

This PR introduces a `tlsutil.Configurator` which holds a `tlsutil.Config`. Afterwards it is responsible for rendering every `tls.Config`. In this particular PR I moved `IncomingHTTPSConfig`, `IncomingTLSConfig`, and `OutgoingTLSWrapper` into `tlsutil.Configurator`.

This PR is a pure refactoring - not a single feature added. And not a single test added. I only slightly modified existing tests as necessary.
2019-02-26 16:52:07 +01:00
Hans Hasselberg
787f3f8aa6 agent: honor when ca is set but verify_outgoing is disabled (#4826)
* honor when verify_outgoing is false but ca is set

* Remove code that exists only for tests

* fix formatting
2018-12-17 09:56:18 -08:00
Jack Pearkes
b64e8b262f
Documentation and changes for verify_server_hostname (#5069)
* verify_server_hostname implies verify_outgoing

* mention CVE in the docs.
2018-12-06 13:51:49 -08:00
Devin Canterberry
a61abcd931
🐛 Formatting changes only; add missing trailing commas 2018-03-15 10:19:46 -07:00
Devin Canterberry
c901307a47
🔒 Update supported TLS cipher suites
The list of cipher suites included in this commit are consistent with
the values and precedence in the [Golang TLS documentation](https://golang.org/src/crypto/tls/cipher_suites.go).

> **Note:** Cipher suites with RC4 are still included within the list
> of accepted values for compatibility, but **these cipher suites are
> not safe to use** and should be deprecated with warnings and
> subsequently removed. Support for RC4 ciphers has already been
> removed or disabled by default in many prominent browsers and tools,
> including Golang.
>
> **References:**
>
>  * [RC4 on Wikipedia](https://en.wikipedia.org/wiki/RC4)
>  * [Mozilla Security Blog](https://blog.mozilla.org/security/2015/09/11/deprecating-the-rc4-cipher/)
2018-03-15 10:19:46 -07:00
James Phillips
8324c1b9a6
Removes stale TLS config clone() in favor of new supported method. 2018-01-10 15:24:26 -08:00
Kyle Havlovitz
5bab68b9bb Add a path for transitioning to TLS on an existing cluster (#3001)
Fixes #1705
2017-05-10 14:25:48 -07:00
Kyle Havlovitz
b70e419aeb Add TLS cipher suite options and CA path support (#2963)
This patch adds options to configure the available
TLS cipher suites and adds support for a path
for multiple CA certificates.

Fixes #2959
2017-04-27 01:29:39 -07:00
Frank Schroeder
3e00e36f41 golint: Untangle if blocks with return in else 2017-04-25 09:26:13 -07:00
Kyle Havlovitz
07ba3ddb6e
Add TLSMinVersion to config options 2017-02-01 16:20:33 -05:00
James Phillips
6de74c60a4 Upgrades to Go 1.7 and fixes vet finding and TLS behavior change. (#2281)
* Upgrades to Go 1.7 and fixes vet finding and TLS behavior change.

* Fixes unit tests in a better manner by closing the client connection on errors.

We traced through and realized that https://github.com/golang/go/issues/15709
causes the output from the client to get buffered, which cuts off the alert
feedback due to the flush() call getting bypassed by the error return.
2016-11-07 18:15:26 -08:00
Armon Dadgar
53f2d8868c tlsutil: Testing hostname verification 2015-05-11 16:05:39 -07:00
Armon Dadgar
7665b65834 tlsutil: Testing VerifyServerHostname on OutgoingConfig 2015-05-11 15:27:09 -07:00
Armon Dadgar
cfe788646d tlsutil: Adding wrappers for hostname verification 2015-05-11 15:14:56 -07:00
Armon Dadgar
6b2390833d tls: define wrapper type 2015-05-11 13:09:19 -07:00
Atin Malaviya
f1f8c88228 Moved TLS Config stuff to tlsutil package 2014-11-18 11:03:36 -05:00