mirror of https://github.com/hashicorp/consul
🔒 Update supported TLS cipher suites
The list of cipher suites included in this commit are consistent with the values and precedence in the [Golang TLS documentation](https://golang.org/src/crypto/tls/cipher_suites.go). > **Note:** Cipher suites with RC4 are still included within the list > of accepted values for compatibility, but **these cipher suites are > not safe to use** and should be deprecated with warnings and > subsequently removed. Support for RC4 ciphers has already been > removed or disabled by default in many prominent browsers and tools, > including Golang. > > **References:** > > * [RC4 on Wikipedia](https://en.wikipedia.org/wiki/RC4) > * [Mozilla Security Blog](https://blog.mozilla.org/security/2015/09/11/deprecating-the-rc4-cipher/)pull/3962/head
parent
844a5fe8c0
commit
c901307a47
|
@ -1107,23 +1107,28 @@ type RuntimeConfig struct {
|
|||
//
|
||||
// The values should be a list of the following values:
|
||||
//
|
||||
// TLS_RSA_WITH_RC4_128_SHA
|
||||
// TLS_RSA_WITH_3DES_EDE_CBC_SHA
|
||||
// TLS_RSA_WITH_AES_128_CBC_SHA
|
||||
// TLS_RSA_WITH_AES_256_CBC_SHA
|
||||
// TLS_RSA_WITH_AES_128_GCM_SHA256
|
||||
// TLS_RSA_WITH_AES_256_GCM_SHA384
|
||||
// TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
|
||||
// TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
|
||||
// TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
|
||||
// TLS_ECDHE_RSA_WITH_RC4_128_SHA
|
||||
// TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
|
||||
// TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
|
||||
// TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
|
||||
// TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
|
||||
// TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
|
||||
// TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
||||
// TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
|
||||
// TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
||||
// TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
|
||||
// TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
|
||||
// TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
|
||||
// TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
|
||||
// TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
|
||||
// TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
|
||||
// TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
|
||||
// TLS_RSA_WITH_AES_128_GCM_SHA256
|
||||
// TLS_RSA_WITH_AES_256_GCM_SHA384
|
||||
// TLS_RSA_WITH_AES_128_CBC_SHA256
|
||||
// TLS_RSA_WITH_AES_128_CBC_SHA
|
||||
// TLS_RSA_WITH_AES_256_CBC_SHA
|
||||
// TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
|
||||
// TLS_RSA_WITH_3DES_EDE_CBC_SHA
|
||||
// TLS_RSA_WITH_RC4_128_SHA
|
||||
// TLS_ECDHE_RSA_WITH_RC4_128_SHA
|
||||
// TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
|
||||
//
|
||||
// todo(fs): IMHO, we should also support the raw 0xNNNN values from
|
||||
// todo(fs): https://golang.org/pkg/crypto/tls/#pkg-constants
|
||||
|
|
|
@ -2581,7 +2581,7 @@ func TestFullConfig(t *testing.T) {
|
|||
"statsd_address": "drce87cy",
|
||||
"statsite_address": "HpFwKB8R"
|
||||
},
|
||||
"tls_cipher_suites": "TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA",
|
||||
"tls_cipher_suites": "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
|
||||
"tls_min_version": "pAOWafkR",
|
||||
"tls_prefer_server_cipher_suites": true,
|
||||
"translate_wan_addrs": true,
|
||||
|
|
|
@ -361,23 +361,28 @@ func ParseCiphers(cipherStr string) ([]uint16, error) {
|
|||
ciphers := strings.Split(cipherStr, ",")
|
||||
|
||||
cipherMap := map[string]uint16{
|
||||
"TLS_RSA_WITH_RC4_128_SHA": tls.TLS_RSA_WITH_RC4_128_SHA,
|
||||
"TLS_RSA_WITH_3DES_EDE_CBC_SHA": tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
|
||||
"TLS_RSA_WITH_AES_128_CBC_SHA": tls.TLS_RSA_WITH_AES_128_CBC_SHA,
|
||||
"TLS_RSA_WITH_AES_256_CBC_SHA": tls.TLS_RSA_WITH_AES_256_CBC_SHA,
|
||||
"TLS_RSA_WITH_AES_128_GCM_SHA256": tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
|
||||
"TLS_RSA_WITH_AES_256_GCM_SHA384": tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
|
||||
"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA": tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
|
||||
"TLS_ECDHE_RSA_WITH_RC4_128_SHA": tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA,
|
||||
"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
|
||||
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
|
||||
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
|
||||
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305": tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
|
||||
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305": tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
|
||||
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
||||
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
||||
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256": tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
|
||||
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
|
||||
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
|
||||
"TLS_RSA_WITH_AES_128_GCM_SHA256": tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
|
||||
"TLS_RSA_WITH_AES_256_GCM_SHA384": tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
|
||||
"TLS_RSA_WITH_AES_128_CBC_SHA256": tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
|
||||
"TLS_RSA_WITH_AES_128_CBC_SHA": tls.TLS_RSA_WITH_AES_128_CBC_SHA,
|
||||
"TLS_RSA_WITH_AES_256_CBC_SHA": tls.TLS_RSA_WITH_AES_256_CBC_SHA,
|
||||
"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
|
||||
"TLS_RSA_WITH_3DES_EDE_CBC_SHA": tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
|
||||
"TLS_RSA_WITH_RC4_128_SHA": tls.TLS_RSA_WITH_RC4_128_SHA,
|
||||
"TLS_ECDHE_RSA_WITH_RC4_128_SHA": tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA,
|
||||
"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA": tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
|
||||
}
|
||||
for _, cipher := range ciphers {
|
||||
if v, ok := cipherMap[cipher]; ok {
|
||||
|
|
|
@ -513,32 +513,52 @@ func TestConfig_IncomingTLS_TLSMinVersion(t *testing.T) {
|
|||
|
||||
func TestConfig_ParseCiphers(t *testing.T) {
|
||||
testOk := strings.Join([]string{
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
|
||||
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
|
||||
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
|
||||
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
|
||||
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
|
||||
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
|
||||
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
|
||||
"TLS_RSA_WITH_AES_128_CBC_SHA",
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
|
||||
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
|
||||
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
|
||||
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
|
||||
"TLS_RSA_WITH_AES_128_GCM_SHA256",
|
||||
"TLS_RSA_WITH_AES_256_CBC_SHA",
|
||||
"TLS_RSA_WITH_AES_256_GCM_SHA384",
|
||||
"TLS_RSA_WITH_AES_128_CBC_SHA256",
|
||||
"TLS_RSA_WITH_AES_128_CBC_SHA",
|
||||
"TLS_RSA_WITH_AES_256_CBC_SHA",
|
||||
"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
|
||||
"TLS_RSA_WITH_3DES_EDE_CBC_SHA",
|
||||
"TLS_RSA_WITH_RC4_128_SHA",
|
||||
"TLS_ECDHE_RSA_WITH_RC4_128_SHA",
|
||||
"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA"
|
||||
}, ",")
|
||||
ciphers := []uint16{
|
||||
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
|
||||
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
||||
tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
|
||||
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
||||
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
|
||||
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
|
||||
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
|
||||
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
||||
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
|
||||
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
||||
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
||||
tls.TLS_RSA_WITH_AES_128_CBC_SHA,
|
||||
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
||||
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
|
||||
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
|
||||
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
|
||||
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
|
||||
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
|
||||
tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
|
||||
tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
|
||||
tls.TLS_RSA_WITH_AES_256_CBC_SHA,
|
||||
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
|
||||
tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
|
||||
tls.TLS_RSA_WITH_AES_128_CBC_SHA,
|
||||
tls.TLS_RSA_WITH_AES_256_CBC_SHA,
|
||||
tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
|
||||
tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
|
||||
tls.TLS_RSA_WITH_RC4_128_SHA,
|
||||
tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA,
|
||||
tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
|
||||
}
|
||||
v, err := ParseCiphers(testOk)
|
||||
if err != nil {
|
||||
|
|
Loading…
Reference in New Issue