Set secureServing minTLSVersion to 1.2 for fips

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-03-17 14:11:04 -07:00 · 2022-03-17 14:11:04 -07:00 · fb93620981
commit fb93620981
parent a036c7b4c3
3 changed files with 9 additions and 29 deletions
--- a/internal/crypto/ptls/fips_strict.go
+++ b/internal/crypto/ptls/fips_strict.go
@ -14,6 +14,9 @@ import (
 	"time"
 )

+// Always use TLS 1.2 for FIPs
+const secureMinTLSVersion = "VersionTLS12"
+
 func init() {
 	go func() {
 		time.Sleep(5 * time.Second)
@ -24,7 +27,6 @@ func init() {
 // FIPS does not support TLS 1.3.
 // Therefore, we cannot use Pinniped's usual secure configuration,
 // which requires TLS 1.3.
-// We also have a shorter list of 1.2 suites to choose from.
 // Secure is just a wrapper for Default in this case.
 func Secure(rootCAs *x509.CertPool) *tls.Config {
 	return Default(rootCAs)
@ -41,32 +43,6 @@ func Default(rootCAs *x509.CertPool) *tls.Config {
 		// https://stigviewer.com/stig/kubernetes/2021-06-17/finding/V-242378
 		MinVersion: tls.VersionTLS12,

-		// the order does not matter in go 1.17+ https://go.dev/blog/tls-cipher-suites
-		// we match crypto/tls.cipherSuitesPreferenceOrder because it makes unit tests easier to write
-		// this list is ignored when TLS 1.3 is used
-		//
-		// as of 2021-10-19, Mozilla Guideline v5.6, Go 1.17.2, intermediate configuration, supports:
-		// - Firefox 27
-		// - Android 4.4.2
-		// - Chrome 31
-		// - Edge
-		// - IE 11 on Windows 7
-		// - Java 8u31
-		// - OpenSSL 1.0.1
-		// - Opera 20
-		// - Safari 9
-		// https://ssl-config.mozilla.org/#server=go&version=1.17.2&config=intermediate&guideline=5.6
-		//
-		// The Kubernetes API server must use approved cipher suites.
-		// https://stigviewer.com/stig/kubernetes/2021-06-17/finding/V-242418
-		//CipherSuites: []uint16{
-		//	// these are all AEADs with ECDHE, some use ChaCha20Poly1305 while others use AES-GCM
-		//	// this provides forward secrecy, confidentiality and authenticity of data
-		//	tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-		//	tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-		//	tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
-		//},
-
 		// enable HTTP2 for go's 1.7 HTTP Server
 		// setting this explicitly is only required in very specific circumstances
 		// it is simpler to just set it here than to try and determine if we need to
--- a/internal/crypto/ptls/ptls.go
+++ b/internal/crypto/ptls/ptls.go
@ -21,6 +21,8 @@ import (

 // TODO decide if we need to expose the four TLS levels (secure, default, default-ldap, legacy) as config.

+const defaultMinTLSVersion = "VersionTLS12"
+
 type ConfigFunc func(*x509.CertPool) *tls.Config

 func DefaultLDAP(rootCAs *x509.CertPool) *tls.Config {
@ -88,11 +90,11 @@ func defaultServing(opts *options.SecureServingOptionsWithLoopback) {
 	}
 	opts.CipherSuites = cipherSuites

-	opts.MinTLSVersion = "VersionTLS12"
+	opts.MinTLSVersion = defaultMinTLSVersion
 }

 func secureServing(opts *options.SecureServingOptionsWithLoopback) {
-	opts.MinTLSVersion = "VersionTLS13"
+	opts.MinTLSVersion = secureMinTLSVersion
 	opts.CipherSuites = nil
 }

--- a/internal/crypto/ptls/secure.go
+++ b/internal/crypto/ptls/secure.go
@ -11,6 +11,8 @@ import (
 	"crypto/x509"
 )

+const secureMinTLSVersion = "VersionTLS13"
+
 func Secure(rootCAs *x509.CertPool) *tls.Config {
 	// as of 2021-10-19, Mozilla Guideline v5.6, Go 1.17.2, modern configuration, supports:
 	// - Firefox 63