From 07066e020d52914a60a91b6ee5f67d7a5375f82f Mon Sep 17 00:00:00 2001 From: Monis Khan Date: Thu, 31 Mar 2022 17:07:47 -0400 Subject: [PATCH] Explicitly set defaultServing ciphers in FIPS mode This is a no-op today, but could change in the future when we add support for FIPS in non-strict mode. Signed-off-by: Monis Khan --- internal/crypto/ptls/fips_strict.go | 6 ++++++ internal/crypto/ptls/ptls.go | 5 ----- internal/crypto/ptls/secure.go | 7 +++++++ 3 files changed, 13 insertions(+), 5 deletions(-) diff --git a/internal/crypto/ptls/fips_strict.go b/internal/crypto/ptls/fips_strict.go index cebcebb4..a6a3c65d 100644 --- a/internal/crypto/ptls/fips_strict.go +++ b/internal/crypto/ptls/fips_strict.go @@ -17,6 +17,8 @@ import ( "C" // explicitly import cgo so that runtime/cgo gets linked into the kube-cert-agent _ "crypto/tls/fipsonly" // restricts all TLS configuration to FIPS-approved settings. + "k8s.io/apiserver/pkg/server/options" + "go.pinniped.dev/internal/plog" ) @@ -63,3 +65,7 @@ func Secure(rootCAs *x509.CertPool) *tls.Config { func DefaultLDAP(rootCAs *x509.CertPool) *tls.Config { return Default(rootCAs) } + +func secureServing(opts *options.SecureServingOptionsWithLoopback) { + defaultServing(opts) +} diff --git a/internal/crypto/ptls/ptls.go b/internal/crypto/ptls/ptls.go index 3eb45d41..ab331e38 100644 --- a/internal/crypto/ptls/ptls.go +++ b/internal/crypto/ptls/ptls.go @@ -82,11 +82,6 @@ func defaultServing(opts *options.SecureServingOptionsWithLoopback) { opts.MinTLSVersion = defaultServingOptionsMinTLSVersion } -func secureServing(opts *options.SecureServingOptionsWithLoopback) { - opts.MinTLSVersion = secureServingOptionsMinTLSVersion - opts.CipherSuites = nil -} - func secureClient(opts *options.RecommendedOptions, f RestConfigFunc) error { inClusterClient, inClusterConfig, err := f(nil) if err != nil { diff --git a/internal/crypto/ptls/secure.go b/internal/crypto/ptls/secure.go index 9f07b633..ddea0816 100644 --- a/internal/crypto/ptls/secure.go +++ b/internal/crypto/ptls/secure.go @@ -9,6 +9,8 @@ package ptls import ( "crypto/tls" "crypto/x509" + + "k8s.io/apiserver/pkg/server/options" ) // secureServingOptionsMinTLSVersion is the minimum tls version in the format @@ -42,3 +44,8 @@ func Secure(rootCAs *x509.CertPool) *tls.Config { } return c } + +func secureServing(opts *options.SecureServingOptionsWithLoopback) { + opts.MinTLSVersion = secureServingOptionsMinTLSVersion + opts.CipherSuites = nil +}