Add tls option for Elliptic Curve Preferences
This commit is contained in:
Kelvin Sarink
Traefiker Bot
parent
c5ec12cd56
commit
5a3e325742
10 changed files with 104 additions and 15 deletions
|
|
@ -60,6 +60,20 @@ var (
|
|||
"TLS_CHACHA20_POLY1305_SHA256": tls.TLS_CHACHA20_POLY1305_SHA256,
|
||||
"TLS_FALLBACK_SCSV": tls.TLS_FALLBACK_SCSV,
|
||||
}
|
||||
|
||||
// CurveIDs is a Map of TLS elliptic curves from crypto/tls
|
||||
// Available CurveIDs defined at https://godoc.org/crypto/tls#CurveID,
|
||||
// also allowing rfc names defined at https://tools.ietf.org/html/rfc8446#section-4.2.7
|
||||
CurveIDs = map[string]tls.CurveID{
|
||||
`secp256r1`: tls.CurveP256,
|
||||
`CurveP256`: tls.CurveP256,
|
||||
`secp384r1`: tls.CurveP384,
|
||||
`CurveP384`: tls.CurveP384,
|
||||
`secp521r1`: tls.CurveP521,
|
||||
`CurveP521`: tls.CurveP521,
|
||||
`x25519`: tls.X25519,
|
||||
`X25519`: tls.X25519,
|
||||
}
|
||||
)
|
||||
|
||||
// Certificate holds a SSL cert/key pair
|
||||
|
|
|
|||
|
|
@ -16,11 +16,12 @@ type ClientAuth struct {
|
|||
|
||||
// Options configures TLS for an entry point
|
||||
type Options struct {
|
||||
MinVersion string `json:"minVersion,omitempty" toml:"minVersion,omitempty" yaml:"minVersion,omitempty" export:"true"`
|
||||
MaxVersion string `json:"maxVersion,omitempty" toml:"maxVersion,omitempty" yaml:"maxVersion,omitempty" export:"true"`
|
||||
CipherSuites []string `json:"cipherSuites,omitempty" toml:"cipherSuites,omitempty" yaml:"cipherSuites,omitempty"`
|
||||
ClientAuth ClientAuth `json:"clientAuth,omitempty" toml:"clientAuth,omitempty" yaml:"clientAuth,omitempty"`
|
||||
SniStrict bool `json:"sniStrict,omitempty" toml:"sniStrict,omitempty" yaml:"sniStrict,omitempty" export:"true"`
|
||||
MinVersion string `json:"minVersion,omitempty" toml:"minVersion,omitempty" yaml:"minVersion,omitempty" export:"true"`
|
||||
MaxVersion string `json:"maxVersion,omitempty" toml:"maxVersion,omitempty" yaml:"maxVersion,omitempty" export:"true"`
|
||||
CipherSuites []string `json:"cipherSuites,omitempty" toml:"cipherSuites,omitempty" yaml:"cipherSuites,omitempty"`
|
||||
CurvePreferences []string `json:"curvePreferences,omitempty" toml:"curvePreferences,omitempty" yaml:"curvePreferences,omitempty"`
|
||||
ClientAuth ClientAuth `json:"clientAuth,omitempty" toml:"clientAuth,omitempty" yaml:"clientAuth,omitempty"`
|
||||
SniStrict bool `json:"sniStrict,omitempty" toml:"sniStrict,omitempty" yaml:"sniStrict,omitempty" export:"true"`
|
||||
}
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
|
|
|
|||
|
|
@ -211,7 +211,7 @@ func buildTLSConfig(tlsOption Options) (*tls.Config, error) {
|
|||
}
|
||||
}
|
||||
|
||||
// Set the minimum TLS version if set in the config TOML
|
||||
// Set the minimum TLS version if set in the config
|
||||
if minConst, exists := MinVersion[tlsOption.MinVersion]; exists {
|
||||
conf.PreferServerCipherSuites = true
|
||||
conf.MinVersion = minConst
|
||||
|
|
@ -223,7 +223,7 @@ func buildTLSConfig(tlsOption Options) (*tls.Config, error) {
|
|||
conf.MaxVersion = maxConst
|
||||
}
|
||||
|
||||
// Set the list of CipherSuites if set in the config TOML
|
||||
// Set the list of CipherSuites if set in the config
|
||||
if tlsOption.CipherSuites != nil {
|
||||
// if our list of CipherSuites is defined in the entryPoint config, we can re-initialize the suites list as empty
|
||||
conf.CipherSuites = make([]uint16, 0)
|
||||
|
|
@ -237,6 +237,20 @@ func buildTLSConfig(tlsOption Options) (*tls.Config, error) {
|
|||
}
|
||||
}
|
||||
|
||||
// Set the list of CurvePreferences/CurveIDs if set in the config
|
||||
if tlsOption.CurvePreferences != nil {
|
||||
conf.CurvePreferences = make([]tls.CurveID, 0)
|
||||
// if our list of CurvePreferences/CurveIDs is defined in the config, we can re-initialize the list as empty
|
||||
for _, curve := range tlsOption.CurvePreferences {
|
||||
if curveID, exists := CurveIDs[curve]; exists {
|
||||
conf.CurvePreferences = append(conf.CurvePreferences, curveID)
|
||||
} else {
|
||||
// CurveID listed in the toml does not exist in our listed
|
||||
return nil, fmt.Errorf("invalid CurveID in curvePreferences: %s", curve)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return conf, nil
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -79,6 +79,11 @@ func (in *Options) DeepCopyInto(out *Options) {
|
|||
*out = make([]string, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
if in.CurvePreferences != nil {
|
||||
in, out := &in.CurvePreferences, &out.CurvePreferences
|
||||
*out = make([]string, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
in.ClientAuth.DeepCopyInto(&out.ClientAuth)
|
||||
return
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue