tls: support tls 1.3 (#7325)

agent/config/runtime.go

@@ -1423,7 +1423,8 @@ type RuntimeConfig struct {
 	TLSCipherSuites []uint16
 
 	// TLSMinVersion is used to set the minimum TLS version used for TLS
-	// connections. Should be either "tls10", "tls11", or "tls12".
+	// connections. Should be either "tls10", "tls11", "tls12" or "tls13".
+	// Defaults to tls12.
 	//
 	// hcl: tls_min_version = string
 	TLSMinVersion string

tlsutil/config.go

@@ -4,15 +4,17 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
-	"github.com/hashicorp/consul/logging"
-	"github.com/hashicorp/go-hclog"
 	"io/ioutil"
 	"net"
 	"os"
 	"path/filepath"
+	"sort"
 	"strings"
 	"sync"
 	"time"
+
+	"github.com/hashicorp/consul/logging"
+	"github.com/hashicorp/go-hclog"
 )
 
 // DCWrapper is a function that is used to wrap a non-TLS connection
@@ -30,8 +32,12 @@ var TLSLookup = map[string]uint16{
 	"tls10": tls.VersionTLS10,
 	"tls11": tls.VersionTLS11,
 	"tls12": tls.VersionTLS12,
+	"tls13": tls.VersionTLS13,
 }
 
+// TLSVersions has all the keys from the map above.
+var TLSVersions = strings.Join(tlsVersions(), ", ")
+
 // Config used to create tls.Config
 type Config struct {
 	// VerifyIncoming is used to verify the authenticity of incoming
@@ -120,6 +126,17 @@ type Config struct {
 	AutoEncryptTLS bool
 }
 
+func tlsVersions() []string {
+	versions := []string{}
+	for v := range TLSLookup {
+		if v != "" {
+			versions = append(versions, v)
+		}
+	}
+	sort.Strings(versions)
+	return versions
+}
+
 // KeyPair is used to open and parse a certificate and key file
 func (c *Config) KeyPair() (*tls.Certificate, error) {
 	return loadKeyPair(c.CertFile, c.KeyFile)
@@ -323,7 +340,7 @@ func (c *Configurator) check(config Config, pool *x509.CertPool, cert *tls.Certi
 	// Check if a minimum TLS version was set
 	if config.TLSMinVersion != "" {
 		if _, ok := TLSLookup[config.TLSMinVersion]; !ok {
-			return fmt.Errorf("TLSMinVersion: value %s not supported, please specify one of [tls10,tls11,tls12]", config.TLSMinVersion)
+			return fmt.Errorf("TLSMinVersion: value %s not supported, please specify one of [%s]", config.TLSMinVersion, TLSVersions)
 		}
 	}
 

tlsutil/config_test.go

@@ -360,9 +360,6 @@ func TestConfigurator_ErrorPropagation(t *testing.T) {
 		{Config{}, false, false},                                              // 1
 		{Config{TLSMinVersion: "tls9"}, true, false},                          // 1
 		{Config{TLSMinVersion: ""}, false, false},                             // 2
-		{Config{TLSMinVersion: "tls10"}, false, false},                        // 3
-		{Config{TLSMinVersion: "tls11"}, false, false},                        // 4
-		{Config{TLSMinVersion: "tls12"}, false, false},                        // 5
 		{Config{VerifyOutgoing: true, CAFile: "", CAPath: ""}, true, false},   // 6
 		{Config{VerifyOutgoing: false, CAFile: "", CAPath: ""}, false, false}, // 7
 		{Config{VerifyOutgoing: false, CAFile: cafile, CAPath: ""},
@@ -390,6 +387,9 @@ func TestConfigurator_ErrorPropagation(t *testing.T) {
 		{Config{CAFile: "bogus"}, true, true},                     // 21
 		{Config{CAPath: "bogus"}, true, true},                     // 22
 	}
+	for _, v := range tlsVersions() {
+		variants = append(variants, variant{Config{TLSMinVersion: v}, false, false})
+	}
 
 	c := Configurator{autoEncrypt: &autoEncrypt{}, manual: &manual{}}
 	for i, v := range variants {
@@ -590,8 +590,7 @@ func TestConfigurator_CommonTLSConfigTLSMinVersion(t *testing.T) {
 	require.NoError(t, err)
 	require.Equal(t, c.commonTLSConfig(false).MinVersion, TLSLookup["tls10"])
 
-	tlsVersions := []string{"tls10", "tls11", "tls12"}
+	for _, version := range tlsVersions() {
-	for _, version := range tlsVersions {
 		require.NoError(t, c.Update(Config{TLSMinVersion: version}))
 		require.Equal(t, c.commonTLSConfig(false).MinVersion,
 			TLSLookup[version])
@@ -839,3 +838,8 @@ func TestConfigurator_AutoEncrytCertExpired(t *testing.T) {
 	c.autoEncrypt.cert = cert
 	require.False(t, c.AutoEncryptCertExpired())
 }
+
+func TestConfig_tlsVersions(t *testing.T) {
+	require.Equal(t, []string{"tls10", "tls11", "tls12", "tls13"}, tlsVersions())
+	require.Equal(t, strings.Join(tlsVersions(), ", "), TLSVersions)
+}

website/source/docs/agent/options.html.md

@@ -1830,8 +1830,8 @@ to the old fragment -->
   facility messages are sent. By default, `LOCAL0` will be used.
 
 * <a name="tls_min_version"></a><a href="#tls_min_version">`tls_min_version`</a> Added in Consul
-  0.7.4, this specifies the minimum supported version of TLS. Accepted values are "tls10", "tls11"
+  0.7.4, this specifies the minimum supported version of TLS. Accepted values are "tls10", "tls11",
-  or "tls12". This defaults to "tls12". WARNING: TLS 1.1 and lower are generally considered less
+  "tls12", or "tls13". This defaults to "tls12". WARNING: TLS 1.1 and lower are generally considered less
   secure; avoid using these if possible.
 
 * <a name="tls_cipher_suites"></a><a href="#tls_cipher_suites">`tls_cipher_suites`</a> Added in Consul