From fb936209810acd5d60844414ff4b011ab52262cb Mon Sep 17 00:00:00 2001 From: Margo Crawford Date: Thu, 17 Mar 2022 14:11:04 -0700 Subject: [PATCH] Set secureServing minTLSVersion to 1.2 for fips Signed-off-by: Margo Crawford --- internal/crypto/ptls/fips_strict.go | 30 +++-------------------------- internal/crypto/ptls/ptls.go | 6 ++++-- internal/crypto/ptls/secure.go | 2 ++ 3 files changed, 9 insertions(+), 29 deletions(-) diff --git a/internal/crypto/ptls/fips_strict.go b/internal/crypto/ptls/fips_strict.go index 327e6c65..35d97fbc 100644 --- a/internal/crypto/ptls/fips_strict.go +++ b/internal/crypto/ptls/fips_strict.go @@ -14,6 +14,9 @@ import ( "time" ) +// Always use TLS 1.2 for FIPs +const secureMinTLSVersion = "VersionTLS12" + func init() { go func() { time.Sleep(5 * time.Second) @@ -24,7 +27,6 @@ func init() { // FIPS does not support TLS 1.3. // Therefore, we cannot use Pinniped's usual secure configuration, // which requires TLS 1.3. -// We also have a shorter list of 1.2 suites to choose from. // Secure is just a wrapper for Default in this case. func Secure(rootCAs *x509.CertPool) *tls.Config { return Default(rootCAs) @@ -41,32 +43,6 @@ func Default(rootCAs *x509.CertPool) *tls.Config { // https://stigviewer.com/stig/kubernetes/2021-06-17/finding/V-242378 MinVersion: tls.VersionTLS12, - // the order does not matter in go 1.17+ https://go.dev/blog/tls-cipher-suites - // we match crypto/tls.cipherSuitesPreferenceOrder because it makes unit tests easier to write - // this list is ignored when TLS 1.3 is used - // - // as of 2021-10-19, Mozilla Guideline v5.6, Go 1.17.2, intermediate configuration, supports: - // - Firefox 27 - // - Android 4.4.2 - // - Chrome 31 - // - Edge - // - IE 11 on Windows 7 - // - Java 8u31 - // - OpenSSL 1.0.1 - // - Opera 20 - // - Safari 9 - // https://ssl-config.mozilla.org/#server=go&version=1.17.2&config=intermediate&guideline=5.6 - // - // The Kubernetes API server must use approved cipher suites. - // https://stigviewer.com/stig/kubernetes/2021-06-17/finding/V-242418 - //CipherSuites: []uint16{ - // // these are all AEADs with ECDHE, some use ChaCha20Poly1305 while others use AES-GCM - // // this provides forward secrecy, confidentiality and authenticity of data - // tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - // tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - // tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, - //}, - // enable HTTP2 for go's 1.7 HTTP Server // setting this explicitly is only required in very specific circumstances // it is simpler to just set it here than to try and determine if we need to diff --git a/internal/crypto/ptls/ptls.go b/internal/crypto/ptls/ptls.go index 9983f687..4e414898 100644 --- a/internal/crypto/ptls/ptls.go +++ b/internal/crypto/ptls/ptls.go @@ -21,6 +21,8 @@ import ( // TODO decide if we need to expose the four TLS levels (secure, default, default-ldap, legacy) as config. +const defaultMinTLSVersion = "VersionTLS12" + type ConfigFunc func(*x509.CertPool) *tls.Config func DefaultLDAP(rootCAs *x509.CertPool) *tls.Config { @@ -88,11 +90,11 @@ func defaultServing(opts *options.SecureServingOptionsWithLoopback) { } opts.CipherSuites = cipherSuites - opts.MinTLSVersion = "VersionTLS12" + opts.MinTLSVersion = defaultMinTLSVersion } func secureServing(opts *options.SecureServingOptionsWithLoopback) { - opts.MinTLSVersion = "VersionTLS13" + opts.MinTLSVersion = secureMinTLSVersion opts.CipherSuites = nil } diff --git a/internal/crypto/ptls/secure.go b/internal/crypto/ptls/secure.go index f19be863..d738cc87 100644 --- a/internal/crypto/ptls/secure.go +++ b/internal/crypto/ptls/secure.go @@ -11,6 +11,8 @@ import ( "crypto/x509" ) +const secureMinTLSVersion = "VersionTLS13" + func Secure(rootCAs *x509.CertPool) *tls.Config { // as of 2021-10-19, Mozilla Guideline v5.6, Go 1.17.2, modern configuration, supports: // - Firefox 63