Merge pull request #1392 from stevendanna/tls-configuration
Bump minimum TLS protocol to TLSv1.2
This commit is contained in:
commit
81f155882a
1 changed files with 28 additions and 19 deletions
|
@ -116,13 +116,19 @@ func serve(cmd *cobra.Command, args []string) error {
|
||||||
var grpcOptions []grpc.ServerOption
|
var grpcOptions []grpc.ServerOption
|
||||||
|
|
||||||
if c.GRPC.TLSCert != "" {
|
if c.GRPC.TLSCert != "" {
|
||||||
if c.GRPC.TLSClientCA != "" {
|
// Parse certificates from certificate file and key file for server.
|
||||||
// Parse certificates from certificate file and key file for server.
|
cert, err := tls.LoadX509KeyPair(c.GRPC.TLSCert, c.GRPC.TLSKey)
|
||||||
cert, err := tls.LoadX509KeyPair(c.GRPC.TLSCert, c.GRPC.TLSKey)
|
if err != nil {
|
||||||
if err != nil {
|
return fmt.Errorf("invalid config: error parsing gRPC certificate file: %v", err)
|
||||||
return fmt.Errorf("invalid config: error parsing gRPC certificate file: %v", err)
|
}
|
||||||
}
|
|
||||||
|
|
||||||
|
tlsConfig := tls.Config{
|
||||||
|
Certificates: []tls.Certificate{cert},
|
||||||
|
MinVersion: tls.VersionTLS12,
|
||||||
|
PreferServerCipherSuites: true,
|
||||||
|
}
|
||||||
|
|
||||||
|
if c.GRPC.TLSClientCA != "" {
|
||||||
// Parse certificates from client CA file to a new CertPool.
|
// Parse certificates from client CA file to a new CertPool.
|
||||||
cPool := x509.NewCertPool()
|
cPool := x509.NewCertPool()
|
||||||
clientCert, err := ioutil.ReadFile(c.GRPC.TLSClientCA)
|
clientCert, err := ioutil.ReadFile(c.GRPC.TLSClientCA)
|
||||||
|
@ -133,23 +139,17 @@ func serve(cmd *cobra.Command, args []string) error {
|
||||||
return errors.New("invalid config: failed to parse client CA")
|
return errors.New("invalid config: failed to parse client CA")
|
||||||
}
|
}
|
||||||
|
|
||||||
tlsConfig := tls.Config{
|
tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
|
||||||
Certificates: []tls.Certificate{cert},
|
tlsConfig.ClientCAs = cPool
|
||||||
ClientAuth: tls.RequireAndVerifyClientCert,
|
|
||||||
ClientCAs: cPool,
|
// Only add metrics if client auth is enabled
|
||||||
}
|
|
||||||
grpcOptions = append(grpcOptions,
|
grpcOptions = append(grpcOptions,
|
||||||
grpc.Creds(credentials.NewTLS(&tlsConfig)),
|
|
||||||
grpc.StreamInterceptor(grpcMetrics.StreamServerInterceptor()),
|
grpc.StreamInterceptor(grpcMetrics.StreamServerInterceptor()),
|
||||||
grpc.UnaryInterceptor(grpcMetrics.UnaryServerInterceptor()),
|
grpc.UnaryInterceptor(grpcMetrics.UnaryServerInterceptor()),
|
||||||
)
|
)
|
||||||
} else {
|
|
||||||
opt, err := credentials.NewServerTLSFromFile(c.GRPC.TLSCert, c.GRPC.TLSKey)
|
|
||||||
if err != nil {
|
|
||||||
return fmt.Errorf("invalid config: load grpc certs: %v", err)
|
|
||||||
}
|
|
||||||
grpcOptions = append(grpcOptions, grpc.Creds(opt))
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
grpcOptions = append(grpcOptions, grpc.Creds(credentials.NewTLS(&tlsConfig)))
|
||||||
}
|
}
|
||||||
|
|
||||||
s, err := c.Storage.Config.Open(logger)
|
s, err := c.Storage.Config.Open(logger)
|
||||||
|
@ -275,9 +275,18 @@ func serve(cmd *cobra.Command, args []string) error {
|
||||||
}()
|
}()
|
||||||
}
|
}
|
||||||
if c.Web.HTTPS != "" {
|
if c.Web.HTTPS != "" {
|
||||||
|
httpsSrv := &http.Server{
|
||||||
|
Addr: c.Web.HTTPS,
|
||||||
|
Handler: serv,
|
||||||
|
TLSConfig: &tls.Config{
|
||||||
|
PreferServerCipherSuites: true,
|
||||||
|
MinVersion: tls.VersionTLS12,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
logger.Infof("listening (https) on %s", c.Web.HTTPS)
|
logger.Infof("listening (https) on %s", c.Web.HTTPS)
|
||||||
go func() {
|
go func() {
|
||||||
err := http.ListenAndServeTLS(c.Web.HTTPS, c.Web.TLSCert, c.Web.TLSKey, serv)
|
err = httpsSrv.ListenAndServeTLS(c.Web.TLSCert, c.Web.TLSKey)
|
||||||
errc <- fmt.Errorf("listening on %s failed: %v", c.Web.HTTPS, err)
|
errc <- fmt.Errorf("listening on %s failed: %v", c.Web.HTTPS, err)
|
||||||
}()
|
}()
|
||||||
}
|
}
|
||||||
|
|
Reference in a new issue