portainer/api/crypto/tls.go

package crypto

import (
	"crypto/tls"
	"crypto/x509"
	"os"
)

// CreateTLSConfiguration creates a basic tls.Config with recommended TLS settings
func CreateTLSConfiguration() *tls.Config {
	return &tls.Config{
		MinVersion: tls.VersionTLS12,
		CipherSuites: []uint16{
			tls.TLS_AES_128_GCM_SHA256,
			tls.TLS_AES_256_GCM_SHA384,
			tls.TLS_CHACHA20_POLY1305_SHA256,
			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
			tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
			tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
			tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
			tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
			tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
			tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
		},
	}
}

// CreateTLSConfigurationFromBytes initializes a tls.Config using a CA certificate, a certificate and a key
// loaded from memory.
func CreateTLSConfigurationFromBytes(caCert, cert, key []byte, skipClientVerification, skipServerVerification bool) (*tls.Config, error) {
	config := CreateTLSConfiguration()
	config.InsecureSkipVerify = skipServerVerification

	if !skipClientVerification {
		certificate, err := tls.X509KeyPair(cert, key)
		if err != nil {
			return nil, err
		}
		config.Certificates = []tls.Certificate{certificate}
	}

	if !skipServerVerification {
		caCertPool := x509.NewCertPool()
		caCertPool.AppendCertsFromPEM(caCert)
		config.RootCAs = caCertPool
	}

	return config, nil
}

// CreateTLSConfigurationFromDisk initializes a tls.Config using a CA certificate, a certificate and a key
// loaded from disk.
func CreateTLSConfigurationFromDisk(caCertPath, certPath, keyPath string, skipServerVerification bool) (*tls.Config, error) {
	config := CreateTLSConfiguration()
	config.InsecureSkipVerify = skipServerVerification

	if certPath != "" && keyPath != "" {
		cert, err := tls.LoadX509KeyPair(certPath, keyPath)
		if err != nil {
			return nil, err
		}

		config.Certificates = []tls.Certificate{cert}
	}

	if !skipServerVerification && caCertPath != "" {
		caCert, err := os.ReadFile(caCertPath)
		if err != nil {
			return nil, err
		}

		caCertPool := x509.NewCertPool()
		caCertPool.AppendCertsFromPEM(caCert)
		config.RootCAs = caCertPool
	}

	return config, nil
}
feat(global): introduce user teams and new UAC system (#868) 8 years ago			`package crypto`
refactor(api): create a new structure for the Go api (#94) * refactor(api): create a new structure for the Go api * refactor(api): update the way keyFile parameter is managed 8 years ago
			`import (`
			`"crypto/tls"`
			`"crypto/x509"`
fix(code): replace calls to ioutil EE-4425 (#7878) 2 years ago			`"os"`
refactor(api): create a new structure for the Go api (#94) * refactor(api): create a new structure for the Go api * refactor(api): update the way keyFile parameter is managed 8 years ago			`)`

fix(tls): specify the TLS MinVersion always EE-4427 (#7869) 2 years ago			`// CreateTLSConfiguration creates a basic tls.Config with recommended TLS settings`
			`func CreateTLSConfiguration() *tls.Config {`
feat(server): support minimum tls v1.2 (#4076) 4 years ago			`return &tls.Config{`
fix(tls): downgrade minimum version to TLS 1.2 to avoid proxy problems EE-3152 (#6909) 3 years ago			`MinVersion: tls.VersionTLS12,`
			`CipherSuites: []uint16{`
			`tls.TLS_AES_128_GCM_SHA256,`
			`tls.TLS_AES_256_GCM_SHA384,`
			`tls.TLS_CHACHA20_POLY1305_SHA256,`
			`tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,`
			`tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,`
			`tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,`
			`tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,`
			`tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,`
			`tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,`
fix(tls): add missing cipher suites EE-5465 (#8924) 2 years ago			`tls.TLS_RSA_WITH_AES_128_GCM_SHA256,`
			`tls.TLS_RSA_WITH_AES_256_GCM_SHA384,`
fix(tls): add support for more cipher suites EE-7150 (#11875) 6 months ago			`tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,`
			`tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,`
			`tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,`
			`tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,`
			`tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,`
			`tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,`
fix(tls): downgrade minimum version to TLS 1.2 to avoid proxy problems EE-3152 (#6909) 3 years ago			`},`
feat(server): support minimum tls v1.2 (#4076) 4 years ago			`}`
			`}`

fix(api): refactor TLS support (#1909) * refactor(api): refactor TLS support * feat(api): migrate endpoint data * refactor(api): remove unused code and rename functions * refactor(app): remove console.log statement 7 years ago			`// CreateTLSConfigurationFromBytes initializes a tls.Config using a CA certificate, a certificate and a key`
			`// loaded from memory.`
			`func CreateTLSConfigurationFromBytes(caCert, cert, key []byte, skipClientVerification, skipServerVerification bool) (*tls.Config, error) {`
fix(tls): specify the TLS MinVersion always EE-4427 (#7869) 2 years ago			`config := CreateTLSConfiguration()`
feat(api): ping the endpoint at creation time (#1817) 7 years ago			`config.InsecureSkipVerify = skipServerVerification`

			`if !skipClientVerification {`
			`certificate, err := tls.X509KeyPair(cert, key)`
			`if err != nil {`
			`return nil, err`
			`}`
			`config.Certificates = []tls.Certificate{certificate}`
			`}`

			`if !skipServerVerification {`
			`caCertPool := x509.NewCertPool()`
			`caCertPool.AppendCertsFromPEM(caCert)`
			`config.RootCAs = caCertPool`
			`}`

			`return config, nil`
			`}`

fix(api): refactor TLS support (#1909) * refactor(api): refactor TLS support * feat(api): migrate endpoint data * refactor(api): remove unused code and rename functions * refactor(app): remove console.log statement 7 years ago			`// CreateTLSConfigurationFromDisk initializes a tls.Config using a CA certificate, a certificate and a key`
			`// loaded from disk.`
			`func CreateTLSConfigurationFromDisk(caCertPath, certPath, keyPath string, skipServerVerification bool) (*tls.Config, error) {`
fix(tls): specify the TLS MinVersion always EE-4427 (#7869) 2 years ago			`config := CreateTLSConfiguration()`
fix(api): refactor TLS support (#1909) * refactor(api): refactor TLS support * feat(api): migrate endpoint data * refactor(api): remove unused code and rename functions * refactor(app): remove console.log statement 7 years ago			`config.InsecureSkipVerify = skipServerVerification`
feat(authentication): add LDAP authentication support (#1093) 7 years ago
fix(api): refactor TLS support (#1909) * refactor(api): refactor TLS support * feat(api): migrate endpoint data * refactor(api): remove unused code and rename functions * refactor(app): remove console.log statement 7 years ago			`if certPath != "" && keyPath != "" {`
			`cert, err := tls.LoadX509KeyPair(certPath, keyPath)`
fix(tls): fix an issue with TLSConfig ignored when using LDAP StartTLS 7 years ago			`if err != nil {`
			`return nil, err`
feat(authentication): add LDAP authentication support (#1093) 7 years ago			`}`

fix(api): refactor TLS support (#1909) * refactor(api): refactor TLS support * feat(api): migrate endpoint data * refactor(api): remove unused code and rename functions * refactor(app): remove console.log statement 7 years ago			`config.Certificates = []tls.Certificate{cert}`
fix(tls): fix an issue with TLSConfig ignored when using LDAP StartTLS 7 years ago			`}`
feat(api): TLS endpoint creation and init overhaul (#1173) 7 years ago
fix(api): refactor TLS support (#1909) * refactor(api): refactor TLS support * feat(api): migrate endpoint data * refactor(api): remove unused code and rename functions * refactor(app): remove console.log statement 7 years ago			`if !skipServerVerification && caCertPath != "" {`
fix(code): replace calls to ioutil EE-4425 (#7878) 2 years ago			`caCert, err := os.ReadFile(caCertPath)`
fix(tls): fix an issue with TLSConfig ignored when using LDAP StartTLS 7 years ago			`if err != nil {`
			`return nil, err`
feat(authentication): add LDAP authentication support (#1093) 7 years ago			`}`
feat(api): TLS endpoint creation and init overhaul (#1173) 7 years ago
fix(tls): fix an issue with TLSConfig ignored when using LDAP StartTLS 7 years ago			`caCertPool := x509.NewCertPool()`
			`caCertPool.AppendCertsFromPEM(caCert)`
fix(api): refactor TLS support (#1909) * refactor(api): refactor TLS support * feat(api): migrate endpoint data * refactor(api): remove unused code and rename functions * refactor(app): remove console.log statement 7 years ago			`config.RootCAs = caCertPool`
refactor(api): create a new structure for the Go api (#94) * refactor(api): create a new structure for the Go api * refactor(api): update the way keyFile parameter is managed 8 years ago			`}`
feat(authentication): add LDAP authentication support (#1093) 7 years ago
fix(api): refactor TLS support (#1909) * refactor(api): refactor TLS support * feat(api): migrate endpoint data * refactor(api): remove unused code and rename functions * refactor(app): remove console.log statement 7 years ago			`return config, nil`
refactor(api): create a new structure for the Go api (#94) * refactor(api): create a new structure for the Go api * refactor(api): update the way keyFile parameter is managed 8 years ago			`}`