From d738880a466d16a98119f7aedfb59fe6f6bddc2d Mon Sep 17 00:00:00 2001
From: Dalton Hubble <dghubble@gmail.com>
Date: Thu, 9 Jun 2016 16:52:14 -0700
Subject: [PATCH] *: Read-only TLS credentials and limit CipherSuites

* Group changelog bullet points for readability
---
 CHANGES.md              | 17 ++++++++++-------
 Documentation/config.md |  4 ++--
 bootcfg/tlsutil/info.go |  6 ++++++
 3 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/CHANGES.md b/CHANGES.md
index f3344eb7..0b92ab30 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -2,16 +2,19 @@
 
 ## Latest
 
-* Add gRPC API TLS and TLS client-to-server authentication (#140)
+* TLS Authentication:
+    * Add gRPC API TLS and TLS client-to-server authentication (#140)
     * Enable gRPC API by providing a TLS server `-cert-file` and `-key-file`, and a `-ca-file` to authenticate client certificates
     * Provide `bootcmd` tool a TLS client `-cert-file` and `-key-file`, and a `-ca-file` to verify the server identity.
-* Allow Ignition 2.0.0 JSON and YAML template files (#141)
+* Improvements to Ignition Support:
+    * Allow Ignition 2.0.0 JSON and YAML template files (#141)
+    * Stop requiring Ignition templates to use file extensions (#176)
+* Logging Improvements:
+    * Show `bootcfg` message at the home path `/`
+    * Fix http package log messages and increase request logging (#173)
+    * Log requests for bootcfg hosted assets (#214)
+    * Error when an Ignition/Cloud-config template is rendered with a machine Group which is missing a metadata value. Previously, missing values defaulted to "no value" (#210)
 * Add/improve rkt, Docker, Kubernetes, and binary/systemd deployment docs
-* Show `bootcfg` message at the home path `/`
-* Fix http package log messages and increase request logging (#173)
-* Log requests for bootcfg hosted assets (#214)
-* Error when an Ignition/Cloud-config template is rendered with a machine Group which is missing a metadata value. Previously, missing values defaulted to "no value" (#210)
-* Stop requiring Ignition templates to use file extensions (#176)
 
 #### Examples
 
diff --git a/Documentation/config.md b/Documentation/config.md
index 5c605b03..f4d491ce 100644
--- a/Documentation/config.md
+++ b/Documentation/config.md
@@ -70,7 +70,7 @@ The gRPC API can be enabled with the `-rpc-address` flag and by providing a TLS
 
 Run the ACI with rkt and TLS credentials from `examples/etc/bootcfg`.
 
-    sudo rkt --insecure-options=image run --net=metal0:IP=172.15.0.2 --mount volume=data,target=/var/lib/bootcfg --volume data,kind=host,source=$PWD/examples --mount volume=config,target=/etc/bootcfg --volume config,kind=host,source=$PWD/examples/etc/bootcfg --mount volume=groups,target=/var/lib/bootcfg/groups --volume groups,kind=host,source=$PWD/examples/groups/etcd bootcfg.aci -- -address=0.0.0.0:8080 -rpc-address=0.0.0.0:8081 -log-level=debug
+    sudo rkt run --net=metal0:IP=172.15.0.2 --mount volume=data,target=/var/lib/bootcfg --volume data,kind=host,source=$PWD/examples,readOnly=true --mount volume=config,target=/etc/bootcfg --volume config,kind=host,source=$PWD/examples/etc/bootcfg --mount volume=groups,target=/var/lib/bootcfg/groups --volume groups,kind=host,source=$PWD/examples/groups/etcd quay.io/coreos/bootcfg:latest -- -address=0.0.0.0:8080 -rpc-address=0.0.0.0:8081 -log-level=debug
 
 A `bootcmd` client can call the gRPC API running at the IP used in the rkt example.
 
@@ -78,7 +78,7 @@ A `bootcmd` client can call the gRPC API running at the IP used in the rkt examp
 
 Run the Docker image with TLS credentials from `examples/etc/bootcfg`.
 
-    sudo docker run -p 8080:8080 -p 8081 --rm -v $PWD/examples:/var/lib/bootcfg:Z -v $PWD/examples/etc/bootcfg:/etc/bootcfg:Z -v $PWD/examples/groups/etcd:/var/lib/bootcfg/groups:Z coreos/bootcfg:latest -address=0.0.0.0:8080 -rpc-address=0.0.0.0:8081 -log-level=debug
+    sudo docker run -p 8080:8080 -p 8081:8081 --rm -v $PWD/examples:/var/lib/bootcfg:Z -v $PWD/examples/etc/bootcfg:/etc/bootcfg:Z,ro -v $PWD/examples/groups/etcd:/var/lib/bootcfg/groups:Z quay.io/coreos/bootcfg:latest -address=0.0.0.0:8080 -rpc-address=0.0.0.0:8081 -log-level=debug
 
 A `bootcmd` client can call the gRPC API running at the IP used in the Docker example.
 
diff --git a/bootcfg/tlsutil/info.go b/bootcfg/tlsutil/info.go
index 846e5463..e55cb8f0 100644
--- a/bootcfg/tlsutil/info.go
+++ b/bootcfg/tlsutil/info.go
@@ -57,5 +57,11 @@ func (info *TLSInfo) ServerConfig() (*tls.Config, error) {
 		ClientAuth: tls.RequireAndVerifyClientCert,
 		// CA for verifying and authorizing client certificates
 		ClientCAs: pool,
+		CipherSuites: []uint16{
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+		},
 	}, nil
 }