Add option to set cluster TLS cipher suites. (#3228)

* Add option to set cluster TLS cipher suites. Fixes #3227
2025-11-02 11:38:02 +00:00 · 2017-08-30 16:28:23 -04:00
parent 2ca896ccea
commit 3f31ed733f
10 changed files with 76 additions and 8 deletions
--- a/command/server/config.go
+++ b/command/server/config.go
@@ -42,7 +42,9 @@ type Config struct {
 	DefaultLeaseTTL    time.Duration `hcl:"-"`
 	DefaultLeaseTTLRaw interface{}   `hcl:"default_lease_ttl"`

-	ClusterName     string `hcl:"cluster_name"`
+	ClusterName         string `hcl:"cluster_name"`
+	ClusterCipherSuites string `hcl:"cluster_cipher_suites"`
+
 	PluginDirectory string `hcl:"plugin_directory"`
 }

@@ -276,6 +278,11 @@ func (c *Config) Merge(c2 *Config) *Config {
 		result.ClusterName = c2.ClusterName
 	}

+	result.ClusterCipherSuites = c.ClusterCipherSuites
+	if c2.ClusterCipherSuites != "" {
+		result.ClusterCipherSuites = c2.ClusterCipherSuites
+	}
+
 	result.EnableUI = c.EnableUI
 	if c2.EnableUI {
 		result.EnableUI = c2.EnableUI
@@ -376,6 +383,7 @@ func ParseConfig(d string, logger log.Logger) (*Config, error) {
 		"default_lease_ttl",
 		"max_lease_ttl",
 		"cluster_name",
+		"cluster_cipher_suites",
 		"plugin_directory",
 	}
 	if err := checkHCLKeys(list, valid); err != nil {
--- a/command/server/config_test.go
+++ b/command/server/config_test.go
@@ -99,6 +99,8 @@ func TestLoadConfigFile_json(t *testing.T) {
 			DisableClustering: true,
 		},

+		ClusterCipherSuites: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
+
 		Telemetry: &Telemetry{
 			StatsiteAddr:                       "baz",
 			StatsdAddr:                         "",
--- a/command/server/test-fixtures/config.hcl.json
+++ b/command/server/test-fixtures/config.hcl.json
@@ -4,6 +4,7 @@
 			"address": "127.0.0.1:443"
 		}
 	}],
+	"cluster_cipher_suites": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
 	"storage": {
 		"consul": {
 			"foo": "bar",