Add support for MaxVersion in tls.Options

2019-10-29 07:58:05 -04:00 · 2019-10-29 07:58:05 -04:00 · 1f39083555
commit 1f39083555
parent 5f8fb6c226
8 changed files with 72 additions and 0 deletions
--- a/pkg/provider/kubernetes/crd/kubernetes.go
+++ b/pkg/provider/kubernetes/crd/kubernetes.go
@ -482,6 +482,7 @@ func buildTLSOptions(ctx context.Context, client Client) map[string]tls.Options

 		tlsOptions[makeID(tlsOption.Namespace, tlsOption.Name)] = tls.Options{
 			MinVersion:   tlsOption.Spec.MinVersion,
+			MaxVersion:   tlsOption.Spec.MaxVersion,
 			CipherSuites: tlsOption.Spec.CipherSuites,
 			ClientAuth: tls.ClientAuth{
 				CAFiles:        clientCAs,
--- a/pkg/provider/kubernetes/crd/traefik/v1alpha1/tlsoption.go
+++ b/pkg/provider/kubernetes/crd/traefik/v1alpha1/tlsoption.go
@ -20,6 +20,7 @@ type TLSOption struct {
 // TLSOptionSpec configures TLS for an entry point
 type TLSOptionSpec struct {
 	MinVersion   string     `json:"minVersion,omitempty"`
+	MaxVersion   string     `json:"maxVersion,omitempty"`
 	CipherSuites []string   `json:"cipherSuites,omitempty"`
 	ClientAuth   ClientAuth `json:"clientAuth,omitempty"`
 	SniStrict    bool       `json:"sniStrict,omitempty"`
--- a/pkg/tls/certificate.go
+++ b/pkg/tls/certificate.go
@ -22,6 +22,14 @@ var (
 		`VersionTLS13`: tls.VersionTLS13,
 	}

+	// MaxVersion Map of allowed TLS minimum versions
+	MaxVersion = map[string]uint16{
+		`VersionTLS10`: tls.VersionTLS10,
+		`VersionTLS11`: tls.VersionTLS11,
+		`VersionTLS12`: tls.VersionTLS12,
+		`VersionTLS13`: tls.VersionTLS13,
+	}
+
 	// CipherSuites Map of TLS CipherSuites from crypto/tls
 	// Available CipherSuites defined at https://golang.org/pkg/crypto/tls/#pkg-constants
 	CipherSuites = map[string]uint16{
--- a/pkg/tls/tls.go
+++ b/pkg/tls/tls.go
@ -17,6 +17,7 @@ type ClientAuth struct {
 // Options configures TLS for an entry point
 type Options struct {
 	MinVersion   string     `json:"minVersion,omitempty" toml:"minVersion,omitempty" yaml:"minVersion,omitempty" export:"true"`
+	MaxVersion   string     `json:"maxVersion,omitempty" toml:"maxVersion,omitempty" yaml:"maxVersion,omitempty" export:"true"`
 	CipherSuites []string   `json:"cipherSuites,omitempty" toml:"cipherSuites,omitempty" yaml:"cipherSuites,omitempty"`
 	ClientAuth   ClientAuth `json:"clientAuth,omitempty" toml:"clientAuth,omitempty" yaml:"clientAuth,omitempty"`
 	SniStrict    bool       `json:"sniStrict,omitempty" toml:"sniStrict,omitempty" yaml:"sniStrict,omitempty" export:"true"`
--- a/pkg/tls/tlsmanager.go
+++ b/pkg/tls/tlsmanager.go
@ -217,6 +217,12 @@ func buildTLSConfig(tlsOption Options) (*tls.Config, error) {
 		conf.MinVersion = minConst
 	}

+	// Set the maximum TLS version if set in the config TOML
+	if maxConst, exists := MaxVersion[tlsOption.MaxVersion]; exists {
+		conf.PreferServerCipherSuites = true
+		conf.MaxVersion = maxConst
+	}
+
 	// Set the list of CipherSuites if set in the config TOML
 	if tlsOption.CipherSuites != nil {
 		// if our list of CipherSuites is defined in the entryPoint config, we can re-initialize the suites list as empty