mirror of https://github.com/portainer/portainer
fix(tls): specify the TLS MinVersion always EE-4427 (#7869)
andres-portainer
GitHub
parent
f9bbe000fb
commit
4753d52532
|
|
@ -6,8 +6,8 @@ import (
|
||||||
"os"
|
"os"
|
||||||
)
|
)
|
||||||
|
|
||||||
// CreateServerTLSConfiguration creates a basic tls.Config to be used by servers with recommended TLS settings
|
// CreateTLSConfiguration creates a basic tls.Config with recommended TLS settings
|
||||||
func CreateServerTLSConfiguration() *tls.Config {
|
func CreateTLSConfiguration() *tls.Config {
|
||||||
return &tls.Config{
|
return &tls.Config{
|
||||||
MinVersion: tls.VersionTLS12,
|
MinVersion: tls.VersionTLS12,
|
||||||
CipherSuites: []uint16{
|
CipherSuites: []uint16{
|
||||||
|
|
@ -27,7 +27,7 @@ func CreateServerTLSConfiguration() *tls.Config {
|
||||||
// CreateTLSConfigurationFromBytes initializes a tls.Config using a CA certificate, a certificate and a key
|
// CreateTLSConfigurationFromBytes initializes a tls.Config using a CA certificate, a certificate and a key
|
||||||
// loaded from memory.
|
// loaded from memory.
|
||||||
func CreateTLSConfigurationFromBytes(caCert, cert, key []byte, skipClientVerification, skipServerVerification bool) (*tls.Config, error) {
|
func CreateTLSConfigurationFromBytes(caCert, cert, key []byte, skipClientVerification, skipServerVerification bool) (*tls.Config, error) {
|
||||||
config := &tls.Config{}
|
config := CreateTLSConfiguration()
|
||||||
config.InsecureSkipVerify = skipServerVerification
|
config.InsecureSkipVerify = skipServerVerification
|
||||||
|
|
||||||
if !skipClientVerification {
|
if !skipClientVerification {
|
||||||
|
|
@ -50,7 +50,7 @@ func CreateTLSConfigurationFromBytes(caCert, cert, key []byte, skipClientVerific
|
||||||
// CreateTLSConfigurationFromDisk initializes a tls.Config using a CA certificate, a certificate and a key
|
// CreateTLSConfigurationFromDisk initializes a tls.Config using a CA certificate, a certificate and a key
|
||||||
// loaded from disk.
|
// loaded from disk.
|
||||||
func CreateTLSConfigurationFromDisk(caCertPath, certPath, keyPath string, skipServerVerification bool) (*tls.Config, error) {
|
func CreateTLSConfigurationFromDisk(caCertPath, certPath, keyPath string, skipServerVerification bool) (*tls.Config, error) {
|
||||||
config := &tls.Config{}
|
config := CreateTLSConfiguration()
|
||||||
config.InsecureSkipVerify = skipServerVerification
|
config.InsecureSkipVerify = skipServerVerification
|
||||||
|
|
||||||
if certPath != "" && keyPath != "" {
|
if certPath != "" && keyPath != "" {
|
||||||
|
|
|
||||||
|
|
@ -2,7 +2,6 @@ package git
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
"crypto/tls"
|
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"fmt"
|
"fmt"
|
||||||
"io"
|
"io"
|
||||||
|
|
@ -12,11 +11,13 @@ import (
|
||||||
"strings"
|
"strings"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
"github.com/portainer/portainer/api/archive"
|
||||||
|
"github.com/portainer/portainer/api/crypto"
|
||||||
|
gittypes "github.com/portainer/portainer/api/git/types"
|
||||||
|
|
||||||
"github.com/go-git/go-git/v5/plumbing/transport/client"
|
"github.com/go-git/go-git/v5/plumbing/transport/client"
|
||||||
githttp "github.com/go-git/go-git/v5/plumbing/transport/http"
|
githttp "github.com/go-git/go-git/v5/plumbing/transport/http"
|
||||||
"github.com/pkg/errors"
|
"github.com/pkg/errors"
|
||||||
"github.com/portainer/portainer/api/archive"
|
|
||||||
gittypes "github.com/portainer/portainer/api/git/types"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
|
|
@ -63,9 +64,12 @@ func NewAzureClient() *azureClient {
|
||||||
}
|
}
|
||||||
|
|
||||||
func newHttpClientForAzure() *http.Client {
|
func newHttpClientForAzure() *http.Client {
|
||||||
|
tlsConfig := crypto.CreateTLSConfiguration()
|
||||||
|
tlsConfig.InsecureSkipVerify = true
|
||||||
|
|
||||||
httpsCli := &http.Client{
|
httpsCli := &http.Client{
|
||||||
Transport: &http.Transport{
|
Transport: &http.Transport{
|
||||||
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
|
TLSClientConfig: tlsConfig,
|
||||||
Proxy: http.ProxyFromEnvironment,
|
Proxy: http.ProxyFromEnvironment,
|
||||||
},
|
},
|
||||||
Timeout: 300 * time.Second,
|
Timeout: 300 * time.Second,
|
||||||
|
|
|
||||||
|
|
@ -2,7 +2,6 @@ package openamt
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"bytes"
|
"bytes"
|
||||||
"crypto/tls"
|
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
|
@ -11,6 +10,8 @@ import (
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
portainer "github.com/portainer/portainer/api"
|
portainer "github.com/portainer/portainer/api"
|
||||||
|
"github.com/portainer/portainer/api/crypto"
|
||||||
|
|
||||||
"golang.org/x/sync/errgroup"
|
"golang.org/x/sync/errgroup"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
@ -32,11 +33,14 @@ type Service struct {
|
||||||
|
|
||||||
// NewService initializes a new service.
|
// NewService initializes a new service.
|
||||||
func NewService() *Service {
|
func NewService() *Service {
|
||||||
|
tlsConfig := crypto.CreateTLSConfiguration()
|
||||||
|
tlsConfig.InsecureSkipVerify = true
|
||||||
|
|
||||||
return &Service{
|
return &Service{
|
||||||
httpsClient: &http.Client{
|
httpsClient: &http.Client{
|
||||||
Timeout: httpClientTimeout,
|
Timeout: httpClientTimeout,
|
||||||
Transport: &http.Transport{
|
Transport: &http.Transport{
|
||||||
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
|
TLSClientConfig: tlsConfig,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -1,14 +1,15 @@
|
||||||
package websocket
|
package websocket
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"crypto/tls"
|
|
||||||
"fmt"
|
"fmt"
|
||||||
"net/http"
|
"net/http"
|
||||||
"net/url"
|
"net/url"
|
||||||
|
|
||||||
|
portainer "github.com/portainer/portainer/api"
|
||||||
|
"github.com/portainer/portainer/api/crypto"
|
||||||
|
|
||||||
"github.com/gorilla/websocket"
|
"github.com/gorilla/websocket"
|
||||||
"github.com/koding/websocketproxy"
|
"github.com/koding/websocketproxy"
|
||||||
portainer "github.com/portainer/portainer/api"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
func (handler *Handler) proxyEdgeAgentWebsocketRequest(w http.ResponseWriter, r *http.Request, params *webSocketRequestParams) error {
|
func (handler *Handler) proxyEdgeAgentWebsocketRequest(w http.ResponseWriter, r *http.Request, params *webSocketRequestParams) error {
|
||||||
|
|
@ -62,10 +63,12 @@ func (handler *Handler) proxyAgentWebsocketRequest(w http.ResponseWriter, r *htt
|
||||||
|
|
||||||
if params.endpoint.TLSConfig.TLS || params.endpoint.TLSConfig.TLSSkipVerify {
|
if params.endpoint.TLSConfig.TLS || params.endpoint.TLSConfig.TLSSkipVerify {
|
||||||
agentURL.Scheme = "wss"
|
agentURL.Scheme = "wss"
|
||||||
|
|
||||||
|
tlsConfig := crypto.CreateTLSConfiguration()
|
||||||
|
tlsConfig.InsecureSkipVerify = params.endpoint.TLSConfig.TLSSkipVerify
|
||||||
|
|
||||||
proxy.Dialer = &websocket.Dialer{
|
proxy.Dialer = &websocket.Dialer{
|
||||||
TLSClientConfig: &tls.Config{
|
TLSClientConfig: tlsConfig,
|
||||||
InsecureSkipVerify: params.endpoint.TLSConfig.TLSSkipVerify,
|
|
||||||
},
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -346,7 +346,7 @@ func (server *Server) Start() error {
|
||||||
TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler)), // Disable HTTP/2
|
TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler)), // Disable HTTP/2
|
||||||
}
|
}
|
||||||
|
|
||||||
httpsServer.TLSConfig = crypto.CreateServerTLSConfiguration()
|
httpsServer.TLSConfig = crypto.CreateTLSConfiguration()
|
||||||
httpsServer.TLSConfig.GetCertificate = func(*tls.ClientHelloInfo) (*tls.Certificate, error) {
|
httpsServer.TLSConfig.GetCertificate = func(*tls.ClientHelloInfo) (*tls.Certificate, error) {
|
||||||
return server.SSLService.GetRawCertificate(), nil
|
return server.SSLService.GetRawCertificate(), nil
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue