mirror of
https://github.com/optim-enterprises-bv/vault.git
synced 2025-10-30 18:17:55 +00:00
Add support for tls_max_version in listener config. (#11226)
This commit is contained in:
Nick Cabatoff
3
changelog/11226.txt
Normal file
3
changelog/11226.txt
Normal file
@@ -0,0 +1,3 @@
|
|||||||
|
```changelog:enhancement
|
||||||
|
core: Add tls_max_version listener config option.
|
||||||
|
```
|
||||||
@@ -707,6 +707,7 @@ listener "tcp" {
|
|||||||
tls_key_file = "./certs/server.key"
|
tls_key_file = "./certs/server.key"
|
||||||
tls_client_ca_file = "./certs/rootca.crt"
|
tls_client_ca_file = "./certs/rootca.crt"
|
||||||
tls_min_version = "tls12"
|
tls_min_version = "tls12"
|
||||||
|
tls_max_version = "tls13"
|
||||||
tls_require_and_verify_client_cert = true
|
tls_require_and_verify_client_cert = true
|
||||||
tls_disable_client_certs = true
|
tls_disable_client_certs = true
|
||||||
}`))
|
}`))
|
||||||
@@ -737,6 +738,7 @@ listener "tcp" {
|
|||||||
TLSKeyFile: "./certs/server.key",
|
TLSKeyFile: "./certs/server.key",
|
||||||
TLSClientCAFile: "./certs/rootca.crt",
|
TLSClientCAFile: "./certs/rootca.crt",
|
||||||
TLSMinVersion: "tls12",
|
TLSMinVersion: "tls12",
|
||||||
|
TLSMaxVersion: "tls13",
|
||||||
TLSRequireAndVerifyClientCert: true,
|
TLSRequireAndVerifyClientCert: true,
|
||||||
TLSDisableClientCerts: true,
|
TLSDisableClientCerts: true,
|
||||||
},
|
},
|
||||||
|
|||||||
@@ -28,7 +28,7 @@ func TestTCPListener(t *testing.T) {
|
|||||||
return net.Dial("tcp", ln.Addr().String())
|
return net.Dial("tcp", ln.Addr().String())
|
||||||
}
|
}
|
||||||
|
|
||||||
testListenerImpl(t, ln, connFn, "")
|
testListenerImpl(t, ln, connFn, "", 0)
|
||||||
}
|
}
|
||||||
|
|
||||||
// TestTCPListener_tls tests TLS generally
|
// TestTCPListener_tls tests TLS generally
|
||||||
@@ -86,7 +86,7 @@ func TestTCPListener_tls(t *testing.T) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
testListenerImpl(t, ln, connFn(true), "foo.example.com")
|
testListenerImpl(t, ln, connFn(true), "foo.example.com", 0)
|
||||||
|
|
||||||
ln, _, _, err = tcpListenerFactory(&configutil.Listener{
|
ln, _, _, err = tcpListenerFactory(&configutil.Listener{
|
||||||
Address: "127.0.0.1:0",
|
Address: "127.0.0.1:0",
|
||||||
@@ -111,7 +111,7 @@ func TestTCPListener_tls(t *testing.T) {
|
|||||||
t.Fatalf("err: %s", err)
|
t.Fatalf("err: %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
testListenerImpl(t, ln, connFn(false), "foo.example.com")
|
testListenerImpl(t, ln, connFn(false), "foo.example.com", 0)
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestTCPListener_tls13(t *testing.T) {
|
func TestTCPListener_tls13(t *testing.T) {
|
||||||
@@ -169,7 +169,7 @@ func TestTCPListener_tls13(t *testing.T) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
testListenerImpl(t, ln, connFn(true), "foo.example.com")
|
testListenerImpl(t, ln, connFn(true), "foo.example.com", tls.VersionTLS13)
|
||||||
|
|
||||||
ln, _, _, err = tcpListenerFactory(&configutil.Listener{
|
ln, _, _, err = tcpListenerFactory(&configutil.Listener{
|
||||||
Address: "127.0.0.1:0",
|
Address: "127.0.0.1:0",
|
||||||
@@ -196,5 +196,19 @@ func TestTCPListener_tls13(t *testing.T) {
|
|||||||
t.Fatalf("err: %s", err)
|
t.Fatalf("err: %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
testListenerImpl(t, ln, connFn(false), "foo.example.com")
|
testListenerImpl(t, ln, connFn(false), "foo.example.com", tls.VersionTLS13)
|
||||||
|
|
||||||
|
ln, _, _, err = tcpListenerFactory(&configutil.Listener{
|
||||||
|
Address: "127.0.0.1:0",
|
||||||
|
TLSCertFile: wd + "reload_foo.pem",
|
||||||
|
TLSKeyFile: wd + "reload_foo.key",
|
||||||
|
TLSDisableClientCerts: true,
|
||||||
|
TLSClientCAFile: wd + "reload_ca.pem",
|
||||||
|
TLSMaxVersion: "tls12",
|
||||||
|
}, nil, cli.NewMockUi())
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("err: %s", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
testListenerImpl(t, ln, connFn(false), "foo.example.com", tls.VersionTLS12)
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -10,7 +10,7 @@ import (
|
|||||||
|
|
||||||
type testListenerConnFn func(net.Listener) (net.Conn, error)
|
type testListenerConnFn func(net.Listener) (net.Conn, error)
|
||||||
|
|
||||||
func testListenerImpl(t *testing.T, ln net.Listener, connFn testListenerConnFn, certName string) {
|
func testListenerImpl(t *testing.T, ln net.Listener, connFn testListenerConnFn, certName string, expectedVersion uint16) {
|
||||||
serverCh := make(chan net.Conn, 1)
|
serverCh := make(chan net.Conn, 1)
|
||||||
go func() {
|
go func() {
|
||||||
server, err := ln.Accept()
|
server, err := ln.Accept()
|
||||||
@@ -31,6 +31,9 @@ func testListenerImpl(t *testing.T, ln net.Listener, connFn testListenerConnFn,
|
|||||||
|
|
||||||
if certName != "" {
|
if certName != "" {
|
||||||
tlsConn := client.(*tls.Conn)
|
tlsConn := client.(*tls.Conn)
|
||||||
|
if expectedVersion != 0 && tlsConn.ConnectionState().Version != expectedVersion {
|
||||||
|
t.Fatalf("expected version %d, got %d", expectedVersion, tlsConn.ConnectionState().Version)
|
||||||
|
}
|
||||||
if len(tlsConn.ConnectionState().PeerCertificates) != 1 {
|
if len(tlsConn.ConnectionState().PeerCertificates) != 1 {
|
||||||
t.Fatalf("err: number of certs too long")
|
t.Fatalf("err: number of certs too long")
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -43,6 +43,7 @@ type Listener struct {
|
|||||||
TLSCertFile string `hcl:"tls_cert_file"`
|
TLSCertFile string `hcl:"tls_cert_file"`
|
||||||
TLSKeyFile string `hcl:"tls_key_file"`
|
TLSKeyFile string `hcl:"tls_key_file"`
|
||||||
TLSMinVersion string `hcl:"tls_min_version"`
|
TLSMinVersion string `hcl:"tls_min_version"`
|
||||||
|
TLSMaxVersion string `hcl:"tls_max_version"`
|
||||||
TLSCipherSuites []uint16 `hcl:"-"`
|
TLSCipherSuites []uint16 `hcl:"-"`
|
||||||
TLSCipherSuitesRaw string `hcl:"tls_cipher_suites"`
|
TLSCipherSuitesRaw string `hcl:"tls_cipher_suites"`
|
||||||
TLSPreferServerCipherSuites bool `hcl:"-"`
|
TLSPreferServerCipherSuites bool `hcl:"-"`
|
||||||
|
|||||||
@@ -111,12 +111,25 @@ PASSPHRASECORRECT:
|
|||||||
l.TLSMinVersion = "tls12"
|
l.TLSMinVersion = "tls12"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if l.TLSMaxVersion == "" {
|
||||||
|
l.TLSMaxVersion = "tls13"
|
||||||
|
}
|
||||||
|
|
||||||
var ok bool
|
var ok bool
|
||||||
tlsConf.MinVersion, ok = tlsutil.TLSLookup[l.TLSMinVersion]
|
tlsConf.MinVersion, ok = tlsutil.TLSLookup[l.TLSMinVersion]
|
||||||
if !ok {
|
if !ok {
|
||||||
return nil, nil, fmt.Errorf("'tls_min_version' value %q not supported, please specify one of [tls10,tls11,tls12,tls13]", l.TLSMinVersion)
|
return nil, nil, fmt.Errorf("'tls_min_version' value %q not supported, please specify one of [tls10,tls11,tls12,tls13]", l.TLSMinVersion)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
tlsConf.MaxVersion, ok = tlsutil.TLSLookup[l.TLSMaxVersion]
|
||||||
|
if !ok {
|
||||||
|
return nil, nil, fmt.Errorf("'tls_max_version' value %q not supported, please specify one of [tls10,tls11,tls12,tls13]", l.TLSMaxVersion)
|
||||||
|
}
|
||||||
|
|
||||||
|
if tlsConf.MaxVersion < tlsConf.MinVersion {
|
||||||
|
return nil, nil, fmt.Errorf("'tls_max_version' must be greater than or equal to 'tls_min_version'")
|
||||||
|
}
|
||||||
|
|
||||||
if len(l.TLSCipherSuites) > 0 {
|
if len(l.TLSCipherSuites) > 0 {
|
||||||
// HTTP/2 with TLS 1.2 blacklists several cipher suites.
|
// HTTP/2 with TLS 1.2 blacklists several cipher suites.
|
||||||
// https://tools.ietf.org/html/rfc7540#appendix-A
|
// https://tools.ietf.org/html/rfc7540#appendix-A
|
||||||
|
|||||||
Reference in New Issue
Block a user