fix(tls): specify the TLS MinVersion always EE-4427 (#7869)

2023-02-09 16:13:35 -03:00 · 2023-02-09 16:13:35 -03:00 · 4753d52532
parent f9bbe000fb
commit 4753d52532
5 changed files with 27 additions and 16 deletions
--- a/api/crypto/tls.go
+++ b/api/crypto/tls.go
@ -6,8 +6,8 @@ import (
 	"os"
 )

-// CreateServerTLSConfiguration creates a basic tls.Config to be used by servers with recommended TLS settings
-func CreateServerTLSConfiguration() *tls.Config {
+// CreateTLSConfiguration creates a basic tls.Config with recommended TLS settings
+func CreateTLSConfiguration() *tls.Config {
 	return &tls.Config{
 		MinVersion: tls.VersionTLS12,
 		CipherSuites: []uint16{
@ -27,7 +27,7 @@ func CreateServerTLSConfiguration() *tls.Config {
 // CreateTLSConfigurationFromBytes initializes a tls.Config using a CA certificate, a certificate and a key
 // loaded from memory.
 func CreateTLSConfigurationFromBytes(caCert, cert, key []byte, skipClientVerification, skipServerVerification bool) (*tls.Config, error) {
-	config := &tls.Config{}
+	config := CreateTLSConfiguration()
 	config.InsecureSkipVerify = skipServerVerification

 	if !skipClientVerification {
@ -50,7 +50,7 @@ func CreateTLSConfigurationFromBytes(caCert, cert, key []byte, skipClientVerific
 // CreateTLSConfigurationFromDisk initializes a tls.Config using a CA certificate, a certificate and a key
 // loaded from disk.
 func CreateTLSConfigurationFromDisk(caCertPath, certPath, keyPath string, skipServerVerification bool) (*tls.Config, error) {
-	config := &tls.Config{}
+	config := CreateTLSConfiguration()
 	config.InsecureSkipVerify = skipServerVerification

 	if certPath != "" && keyPath != "" {
--- a/api/git/azure.go
+++ b/api/git/azure.go
@ -2,7 +2,6 @@ package git

 import (
 	"context"
-	"crypto/tls"
 	"encoding/json"
 	"fmt"
 	"io"
@ -12,11 +11,13 @@ import (
 	"strings"
 	"time"

+	"github.com/portainer/portainer/api/archive"
+	"github.com/portainer/portainer/api/crypto"
+	gittypes "github.com/portainer/portainer/api/git/types"
+
 	"github.com/go-git/go-git/v5/plumbing/transport/client"
 	githttp "github.com/go-git/go-git/v5/plumbing/transport/http"
 	"github.com/pkg/errors"
-	"github.com/portainer/portainer/api/archive"
-	gittypes "github.com/portainer/portainer/api/git/types"
 )

 const (
@ -63,9 +64,12 @@ func NewAzureClient() *azureClient {
 }

 func newHttpClientForAzure() *http.Client {
+	tlsConfig := crypto.CreateTLSConfiguration()
+	tlsConfig.InsecureSkipVerify = true
+
 	httpsCli := &http.Client{
 		Transport: &http.Transport{
-			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+			TLSClientConfig: tlsConfig,
 			Proxy:           http.ProxyFromEnvironment,
 		},
 		Timeout: 300 * time.Second,
--- a/api/hostmanagement/openamt/openamt.go
+++ b/api/hostmanagement/openamt/openamt.go
@ -2,7 +2,6 @@ package openamt

 import (
 	"bytes"
-	"crypto/tls"
 	"encoding/json"
 	"errors"
 	"fmt"
@ -11,6 +10,8 @@ import (
 	"time"

 	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/crypto"
+
 	"golang.org/x/sync/errgroup"
 )

@ -32,11 +33,14 @@ type Service struct {

 // NewService initializes a new service.
 func NewService() *Service {
+	tlsConfig := crypto.CreateTLSConfiguration()
+	tlsConfig.InsecureSkipVerify = true
+
 	return &Service{
 		httpsClient: &http.Client{
 			Timeout: httpClientTimeout,
 			Transport: &http.Transport{
-				TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+				TLSClientConfig: tlsConfig,
 			},
 		},
 	}
--- a/api/http/handler/websocket/proxy.go
+++ b/api/http/handler/websocket/proxy.go
@ -1,14 +1,15 @@
 package websocket

 import (
-	"crypto/tls"
 	"fmt"
 	"net/http"
 	"net/url"

+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/crypto"
+
 	"github.com/gorilla/websocket"
 	"github.com/koding/websocketproxy"
-	portainer "github.com/portainer/portainer/api"
 )

 func (handler *Handler) proxyEdgeAgentWebsocketRequest(w http.ResponseWriter, r *http.Request, params *webSocketRequestParams) error {
@ -62,10 +63,12 @@ func (handler *Handler) proxyAgentWebsocketRequest(w http.ResponseWriter, r *htt

 	if params.endpoint.TLSConfig.TLS || params.endpoint.TLSConfig.TLSSkipVerify {
 		agentURL.Scheme = "wss"
+
+		tlsConfig := crypto.CreateTLSConfiguration()
+		tlsConfig.InsecureSkipVerify = params.endpoint.TLSConfig.TLSSkipVerify
+
 		proxy.Dialer = &websocket.Dialer{
-			TLSClientConfig: &tls.Config{
-				InsecureSkipVerify: params.endpoint.TLSConfig.TLSSkipVerify,
-			},
+			TLSClientConfig: tlsConfig,
 		}
 	}

--- a/api/http/server.go
+++ b/api/http/server.go
@ -346,7 +346,7 @@ func (server *Server) Start() error {
 		TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler)), // Disable HTTP/2
 	}

-	httpsServer.TLSConfig = crypto.CreateServerTLSConfiguration()
+	httpsServer.TLSConfig = crypto.CreateTLSConfiguration()
 	httpsServer.TLSConfig.GetCertificate = func(*tls.ClientHelloInfo) (*tls.Certificate, error) {
 		return server.SSLService.GetRawCertificate(), nil
 	}