From 4753d52532b962f5cdc95c214e30db889909c824 Mon Sep 17 00:00:00 2001 From: andres-portainer <91705312+andres-portainer@users.noreply.github.com> Date: Thu, 9 Feb 2023 16:13:35 -0300 Subject: [PATCH] fix(tls): specify the TLS MinVersion always EE-4427 (#7869) --- api/crypto/tls.go | 8 ++++---- api/git/azure.go | 12 ++++++++---- api/hostmanagement/openamt/openamt.go | 8 ++++++-- api/http/handler/websocket/proxy.go | 13 ++++++++----- api/http/server.go | 2 +- 5 files changed, 27 insertions(+), 16 deletions(-) diff --git a/api/crypto/tls.go b/api/crypto/tls.go index e3418f66e..a92afd444 100644 --- a/api/crypto/tls.go +++ b/api/crypto/tls.go @@ -6,8 +6,8 @@ import ( "os" ) -// CreateServerTLSConfiguration creates a basic tls.Config to be used by servers with recommended TLS settings -func CreateServerTLSConfiguration() *tls.Config { +// CreateTLSConfiguration creates a basic tls.Config with recommended TLS settings +func CreateTLSConfiguration() *tls.Config { return &tls.Config{ MinVersion: tls.VersionTLS12, CipherSuites: []uint16{ @@ -27,7 +27,7 @@ func CreateServerTLSConfiguration() *tls.Config { // CreateTLSConfigurationFromBytes initializes a tls.Config using a CA certificate, a certificate and a key // loaded from memory. func CreateTLSConfigurationFromBytes(caCert, cert, key []byte, skipClientVerification, skipServerVerification bool) (*tls.Config, error) { - config := &tls.Config{} + config := CreateTLSConfiguration() config.InsecureSkipVerify = skipServerVerification if !skipClientVerification { @@ -50,7 +50,7 @@ func CreateTLSConfigurationFromBytes(caCert, cert, key []byte, skipClientVerific // CreateTLSConfigurationFromDisk initializes a tls.Config using a CA certificate, a certificate and a key // loaded from disk. func CreateTLSConfigurationFromDisk(caCertPath, certPath, keyPath string, skipServerVerification bool) (*tls.Config, error) { - config := &tls.Config{} + config := CreateTLSConfiguration() config.InsecureSkipVerify = skipServerVerification if certPath != "" && keyPath != "" { diff --git a/api/git/azure.go b/api/git/azure.go index 6036fe5ac..b4a15fc08 100644 --- a/api/git/azure.go +++ b/api/git/azure.go @@ -2,7 +2,6 @@ package git import ( "context" - "crypto/tls" "encoding/json" "fmt" "io" @@ -12,11 +11,13 @@ import ( "strings" "time" + "github.com/portainer/portainer/api/archive" + "github.com/portainer/portainer/api/crypto" + gittypes "github.com/portainer/portainer/api/git/types" + "github.com/go-git/go-git/v5/plumbing/transport/client" githttp "github.com/go-git/go-git/v5/plumbing/transport/http" "github.com/pkg/errors" - "github.com/portainer/portainer/api/archive" - gittypes "github.com/portainer/portainer/api/git/types" ) const ( @@ -63,9 +64,12 @@ func NewAzureClient() *azureClient { } func newHttpClientForAzure() *http.Client { + tlsConfig := crypto.CreateTLSConfiguration() + tlsConfig.InsecureSkipVerify = true + httpsCli := &http.Client{ Transport: &http.Transport{ - TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, + TLSClientConfig: tlsConfig, Proxy: http.ProxyFromEnvironment, }, Timeout: 300 * time.Second, diff --git a/api/hostmanagement/openamt/openamt.go b/api/hostmanagement/openamt/openamt.go index 8c9902866..590664961 100644 --- a/api/hostmanagement/openamt/openamt.go +++ b/api/hostmanagement/openamt/openamt.go @@ -2,7 +2,6 @@ package openamt import ( "bytes" - "crypto/tls" "encoding/json" "errors" "fmt" @@ -11,6 +10,8 @@ import ( "time" portainer "github.com/portainer/portainer/api" + "github.com/portainer/portainer/api/crypto" + "golang.org/x/sync/errgroup" ) @@ -32,11 +33,14 @@ type Service struct { // NewService initializes a new service. func NewService() *Service { + tlsConfig := crypto.CreateTLSConfiguration() + tlsConfig.InsecureSkipVerify = true + return &Service{ httpsClient: &http.Client{ Timeout: httpClientTimeout, Transport: &http.Transport{ - TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, + TLSClientConfig: tlsConfig, }, }, } diff --git a/api/http/handler/websocket/proxy.go b/api/http/handler/websocket/proxy.go index d1325cc03..d03d5a113 100644 --- a/api/http/handler/websocket/proxy.go +++ b/api/http/handler/websocket/proxy.go @@ -1,14 +1,15 @@ package websocket import ( - "crypto/tls" "fmt" "net/http" "net/url" + portainer "github.com/portainer/portainer/api" + "github.com/portainer/portainer/api/crypto" + "github.com/gorilla/websocket" "github.com/koding/websocketproxy" - portainer "github.com/portainer/portainer/api" ) func (handler *Handler) proxyEdgeAgentWebsocketRequest(w http.ResponseWriter, r *http.Request, params *webSocketRequestParams) error { @@ -62,10 +63,12 @@ func (handler *Handler) proxyAgentWebsocketRequest(w http.ResponseWriter, r *htt if params.endpoint.TLSConfig.TLS || params.endpoint.TLSConfig.TLSSkipVerify { agentURL.Scheme = "wss" + + tlsConfig := crypto.CreateTLSConfiguration() + tlsConfig.InsecureSkipVerify = params.endpoint.TLSConfig.TLSSkipVerify + proxy.Dialer = &websocket.Dialer{ - TLSClientConfig: &tls.Config{ - InsecureSkipVerify: params.endpoint.TLSConfig.TLSSkipVerify, - }, + TLSClientConfig: tlsConfig, } } diff --git a/api/http/server.go b/api/http/server.go index 23b429116..a82697b4a 100644 --- a/api/http/server.go +++ b/api/http/server.go @@ -346,7 +346,7 @@ func (server *Server) Start() error { TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler)), // Disable HTTP/2 } - httpsServer.TLSConfig = crypto.CreateServerTLSConfiguration() + httpsServer.TLSConfig = crypto.CreateTLSConfiguration() httpsServer.TLSConfig.GetCertificate = func(*tls.ClientHelloInfo) (*tls.Certificate, error) { return server.SSLService.GetRawCertificate(), nil }