Handpick cluster cipher suites when they're not user-set (#7487)

* Handpick cluster cipher suites when they're not user-set

There is an undocumented way for users to choose cluster cipher suites
but for the most part this is to paper over the fact that there are
undesirable suites in TLS 1.2.

If not explicitly set, have the set of cipher suites for the cluster
port come from a hand-picked list; either the allowed TLS 1.3 set (for
forwards compatibility) or the three identical ones for TLS 1.2.

The 1.2 suites have been supported in Go until at least as far back as
Go 1.9 from two years ago. As a result in cases where no specific suites
have been chosen this _ought_ to have no compatibility issues.

Also includes a useful test script.

CHANGELOG.md

@@ -1,5 +1,14 @@
 ## 1.3 (Unreleased)
 
+CHANGES:
+ * Cluster cipher suites: On its cluster port, Vault will no longer advertise
+   the full TLS 1.2 cipher suite list by default. Although this port is only
+   used for Vault-to-Vault communication and would always pick a strong cipher,
+   it could cause false flags on port scanners and other security utilities
+   that assumed insecure ciphers were being used. The previous behavior can be
+   achieved by setting the value of the (undocumented) `cluster_cipher_suites`
+   config flag to `tls12`.
+
 FEATURES:
 
  * **Vault Debug**: A new top-level subcommand, `debug`, is added that allows 

scripts/testciphers.sh

@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+
+# Adapted from https://superuser.com/a/224263
+
+# OpenSSL requires the port number.
+SERVER=$1
+ciphers=$(openssl ciphers 'ALL:eNULL' | sed -e 's/:/ /g')
+
+echo Obtaining cipher list from $(openssl version).
+
+for cipher in ${ciphers[@]}
+do
+echo -n Testing $cipher...
+result=$(echo -n | openssl s_client -cipher "$cipher" -alpn req_fw_sb-act_v1 -connect $SERVER 2>&1)
+if [[ "$result" =~ ":error:" ]] ; then
+  error=$(echo -n $result | cut -d':' -f6)
+  echo NO \($error\)
+else
+  if [[ "$result" =~ "Cipher is ${cipher}" || "$result" =~ "Cipher    :" ]] ; then
+    echo YES
+  else
+    echo UNKNOWN RESPONSE
+    echo $result
+  fi
+fi
+done

vault/core.go

@@ -5,6 +5,7 @@ import (
 	"crypto/ecdsa"
 	"crypto/rand"
 	"crypto/subtle"
+	"crypto/tls"
 	"crypto/x509"
 	"errors"
 	"fmt"
@@ -709,7 +710,24 @@ func NewCore(conf *CoreConfig) (*Core, error) {
 	c.clusterAddr.Store(conf.ClusterAddr)
 	c.activeContextCancelFunc.Store((context.CancelFunc)(nil))
 
-	if conf.ClusterCipherSuites != "" {
+	switch conf.ClusterCipherSuites {
+	case "tls12":
+		// Do nothing, let Go use the default
+
+	case "":
+		// Add in forward compatible TLS 1.3 suites, followed by handpicked 1.2 suites
+		c.clusterCipherSuites = []uint16{
+			// 1.3
+			tls.TLS_AES_128_GCM_SHA256,
+			tls.TLS_AES_256_GCM_SHA384,
+			tls.TLS_CHACHA20_POLY1305_SHA256,
+			// 1.2
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+		}
+
+	default:
 		suites, err := tlsutil.ParseCiphers(conf.ClusterCipherSuites)
 		if err != nil {
 			return nil, errwrap.Wrapf("error parsing cluster cipher suites: {{err}}", err)