From 52c796b1f4bbf797c989ad42d13695b6f802c233 Mon Sep 17 00:00:00 2001 From: Margo Crawford Date: Fri, 18 Mar 2022 15:54:53 -0700 Subject: [PATCH] supervisor discovery test shouldn't require tls 1.3 in fips mode Signed-off-by: Margo Crawford --- internal/crypto/ptls/fips_strict.go | 5 +++-- internal/crypto/ptls/ptls.go | 9 ++++++--- internal/crypto/ptls/secure.go | 11 +++++++++-- test/integration/supervisor_discovery_test.go | 4 +++- 4 files changed, 21 insertions(+), 8 deletions(-) diff --git a/internal/crypto/ptls/fips_strict.go b/internal/crypto/ptls/fips_strict.go index 35d97fbc..00e87b60 100644 --- a/internal/crypto/ptls/fips_strict.go +++ b/internal/crypto/ptls/fips_strict.go @@ -15,7 +15,8 @@ import ( ) // Always use TLS 1.2 for FIPs -const secureMinTLSVersion = "VersionTLS12" +const secureServingOptionsMinTLSVersion = "VersionTLS12" +const SecureTLSConfigMinTLSVersion = tls.VersionTLS12 func init() { go func() { @@ -41,7 +42,7 @@ func Default(rootCAs *x509.CertPool) *tls.Config { // The Kubernetes API Server must use TLS 1.2, at a minimum, // to protect the confidentiality of sensitive data during electronic dissemination. // https://stigviewer.com/stig/kubernetes/2021-06-17/finding/V-242378 - MinVersion: tls.VersionTLS12, + MinVersion: SecureTLSConfigMinTLSVersion, // enable HTTP2 for go's 1.7 HTTP Server // setting this explicitly is only required in very specific circumstances diff --git a/internal/crypto/ptls/ptls.go b/internal/crypto/ptls/ptls.go index 4e414898..ef4e7d9f 100644 --- a/internal/crypto/ptls/ptls.go +++ b/internal/crypto/ptls/ptls.go @@ -21,7 +21,10 @@ import ( // TODO decide if we need to expose the four TLS levels (secure, default, default-ldap, legacy) as config. -const defaultMinTLSVersion = "VersionTLS12" +// defaultServingOptionsMinTLSVersion is the minimum tls version in the format +// expected by SecureServingOptions.MinTLSVersion from +// k8s.io/apiserver/pkg/server/options +const defaultServingOptionsMinTLSVersion = "VersionTLS12" type ConfigFunc func(*x509.CertPool) *tls.Config @@ -90,11 +93,11 @@ func defaultServing(opts *options.SecureServingOptionsWithLoopback) { } opts.CipherSuites = cipherSuites - opts.MinTLSVersion = defaultMinTLSVersion + opts.MinTLSVersion = defaultServingOptionsMinTLSVersion } func secureServing(opts *options.SecureServingOptionsWithLoopback) { - opts.MinTLSVersion = secureMinTLSVersion + opts.MinTLSVersion = secureServingOptionsMinTLSVersion opts.CipherSuites = nil } diff --git a/internal/crypto/ptls/secure.go b/internal/crypto/ptls/secure.go index d738cc87..3daaace4 100644 --- a/internal/crypto/ptls/secure.go +++ b/internal/crypto/ptls/secure.go @@ -11,7 +11,14 @@ import ( "crypto/x509" ) -const secureMinTLSVersion = "VersionTLS13" +// secureServingOptionsMinTLSVersion is the minimum tls version in the format +// expected by SecureServingOptions.MinTLSVersion from +// k8s.io/apiserver/pkg/server/options +const secureServingOptionsMinTLSVersion = "VersionTLS13" + +// SecureTLSConfigMinTLSVersion is the minimum tls version in the format expected +// by tls.Config +const SecureTLSConfigMinTLSVersion = tls.VersionTLS13 func Secure(rootCAs *x509.CertPool) *tls.Config { // as of 2021-10-19, Mozilla Guideline v5.6, Go 1.17.2, modern configuration, supports: @@ -25,7 +32,7 @@ func Secure(rootCAs *x509.CertPool) *tls.Config { // - Safari 12.1 // https://ssl-config.mozilla.org/#server=go&version=1.17.2&config=modern&guideline=5.6 c := Default(rootCAs) - c.MinVersion = tls.VersionTLS13 // max out the security + c.MinVersion = SecureTLSConfigMinTLSVersion // max out the security c.CipherSuites = []uint16{ // TLS 1.3 ciphers are not configurable, but we need to explicitly set them here to make our client hello behave correctly // See https://github.com/golang/go/pull/49293 diff --git a/test/integration/supervisor_discovery_test.go b/test/integration/supervisor_discovery_test.go index 4274d880..4187aaf9 100644 --- a/test/integration/supervisor_discovery_test.go +++ b/test/integration/supervisor_discovery_test.go @@ -18,6 +18,8 @@ import ( "testing" "time" + "go.pinniped.dev/internal/crypto/ptls" + "github.com/stretchr/testify/require" corev1 "k8s.io/api/core/v1" k8serrors "k8s.io/apimachinery/pkg/api/errors" @@ -660,7 +662,7 @@ func newHTTPClient(t *testing.T, caBundle string, dnsOverrides map[string]string caCertPool.AppendCertsFromPEM([]byte(caBundle)) c.Transport = &http.Transport{ DialContext: overrideDialContext, - TLSClientConfig: &tls.Config{MinVersion: tls.VersionTLS13, RootCAs: caCertPool}, + TLSClientConfig: &tls.Config{MinVersion: ptls.SecureTLSConfigMinTLSVersion, RootCAs: caCertPool}, } } else { c.Transport = &http.Transport{