Merge pull request #1392 from stevendanna/tls-configuration
Bump minimum TLS protocol to TLSv1.2
This commit is contained in:
Stephan Renatus
GitHub
commit
81f155882a
|
|
@ -116,13 +116,19 @@ func serve(cmd *cobra.Command, args []string) error {
|
|||
var grpcOptions []grpc.ServerOption
|
||||
|
||||
if c.GRPC.TLSCert != "" {
|
||||
if c.GRPC.TLSClientCA != "" {
|
||||
// Parse certificates from certificate file and key file for server.
|
||||
cert, err := tls.LoadX509KeyPair(c.GRPC.TLSCert, c.GRPC.TLSKey)
|
||||
if err != nil {
|
||||
return fmt.Errorf("invalid config: error parsing gRPC certificate file: %v", err)
|
||||
}
|
||||
// Parse certificates from certificate file and key file for server.
|
||||
cert, err := tls.LoadX509KeyPair(c.GRPC.TLSCert, c.GRPC.TLSKey)
|
||||
if err != nil {
|
||||
return fmt.Errorf("invalid config: error parsing gRPC certificate file: %v", err)
|
||||
}
|
||||
|
||||
tlsConfig := tls.Config{
|
||||
Certificates: []tls.Certificate{cert},
|
||||
MinVersion: tls.VersionTLS12,
|
||||
PreferServerCipherSuites: true,
|
||||
}
|
||||
|
||||
if c.GRPC.TLSClientCA != "" {
|
||||
// Parse certificates from client CA file to a new CertPool.
|
||||
cPool := x509.NewCertPool()
|
||||
clientCert, err := ioutil.ReadFile(c.GRPC.TLSClientCA)
|
||||
|
|
@ -133,23 +139,17 @@ func serve(cmd *cobra.Command, args []string) error {
|
|||
return errors.New("invalid config: failed to parse client CA")
|
||||
}
|
||||
|
||||
tlsConfig := tls.Config{
|
||||
Certificates: []tls.Certificate{cert},
|
||||
ClientAuth: tls.RequireAndVerifyClientCert,
|
||||
ClientCAs: cPool,
|
||||
}
|
||||
tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
|
||||
tlsConfig.ClientCAs = cPool
|
||||
|
||||
// Only add metrics if client auth is enabled
|
||||
grpcOptions = append(grpcOptions,
|
||||
grpc.Creds(credentials.NewTLS(&tlsConfig)),
|
||||
grpc.StreamInterceptor(grpcMetrics.StreamServerInterceptor()),
|
||||
grpc.UnaryInterceptor(grpcMetrics.UnaryServerInterceptor()),
|
||||
)
|
||||
} else {
|
||||
opt, err := credentials.NewServerTLSFromFile(c.GRPC.TLSCert, c.GRPC.TLSKey)
|
||||
if err != nil {
|
||||
return fmt.Errorf("invalid config: load grpc certs: %v", err)
|
||||
}
|
||||
grpcOptions = append(grpcOptions, grpc.Creds(opt))
|
||||
}
|
||||
|
||||
grpcOptions = append(grpcOptions, grpc.Creds(credentials.NewTLS(&tlsConfig)))
|
||||
}
|
||||
|
||||
s, err := c.Storage.Config.Open(logger)
|
||||
|
|
@ -275,9 +275,18 @@ func serve(cmd *cobra.Command, args []string) error {
|
|||
}()
|
||||
}
|
||||
if c.Web.HTTPS != "" {
|
||||
httpsSrv := &http.Server{
|
||||
Addr: c.Web.HTTPS,
|
||||
Handler: serv,
|
||||
TLSConfig: &tls.Config{
|
||||
PreferServerCipherSuites: true,
|
||||
MinVersion: tls.VersionTLS12,
|
||||
},
|
||||
}
|
||||
|
||||
logger.Infof("listening (https) on %s", c.Web.HTTPS)
|
||||
go func() {
|
||||
err := http.ListenAndServeTLS(c.Web.HTTPS, c.Web.TLSCert, c.Web.TLSKey, serv)
|
||||
err = httpsSrv.ListenAndServeTLS(c.Web.TLSCert, c.Web.TLSKey)
|
||||
errc <- fmt.Errorf("listening on %s failed: %v", c.Web.HTTPS, err)
|
||||
}()
|
||||
}
|
||||
|
|
|
|||
Reference in a new issue