djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Don't add cbc ecdhe ciphers for ldap in fips mode

Browse Source 
Signed-off-by: Monis Khan <mok@vmware.com>
This commit is contained in:
Margo Crawford 2022-03-21 14:59:11 -07:00 committed by Monis Khan
parent 52c796b1f4
commit 5c6fd9c6cf
No known key found for this signature in database
GPG Key ID: 52C90ADA01B269B8
3 changed files with 19 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
internal/crypto/ptls/default.go
View File

@ -57,3 +57,17 @@ func Default(rootCAs *x509.CertPool) *tls.Config {
RootCAs: rootCAs,
}
}
func DefaultLDAP(rootCAs *x509.CertPool) *tls.Config {
c := Default(rootCAs)
// add less secure ciphers to support the default AWS Active Directory config
c.CipherSuites = append(c.CipherSuites,
// CBC with ECDHE
// this provides forward secrecy and confidentiality of data but not authenticity
// MAC-then-Encrypt CBC ciphers are susceptible to padding oracle attacks
// See https://crypto.stackexchange.com/a/205 and https://crypto.stackexchange.com/a/224
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
)
return c
}

5
internal/crypto/ptls/fips_strict.go
View File

@ -53,3 +53,8 @@ func Default(rootCAs *x509.CertPool) *tls.Config {
RootCAs: rootCAs,
}
}
func DefaultLDAP(rootCAs *x509.CertPool) *tls.Config {
c := Default(rootCAs)
return c
}

14
internal/crypto/ptls/ptls.go
View File

@ -28,20 +28,6 @@ const defaultServingOptionsMinTLSVersion = "VersionTLS12"
type ConfigFunc func(*x509.CertPool) *tls.Config
func DefaultLDAP(rootCAs *x509.CertPool) *tls.Config {
c := Default(rootCAs)
// add less secure ciphers to support the default AWS Active Directory config
c.CipherSuites = append(c.CipherSuites,
// CBC with ECDHE
// this provides forward secrecy and confidentiality of data but not authenticity
// MAC-then-Encrypt CBC ciphers are susceptible to padding oracle attacks
// See https://crypto.stackexchange.com/a/205 and https://crypto.stackexchange.com/a/224
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
)
return c
}
func Legacy(rootCAs *x509.CertPool) *tls.Config {
c := Default(rootCAs)
// add all the ciphers (even the crappy ones) except the ones that Go considers to be outright broken like 3DES