1
0
Fork 0

Add tls option for Elliptic Curve Preferences

This commit is contained in:
Kelvin Sarink 2019-11-03 15:54:04 +01:00 committed by Traefiker Bot
parent c5ec12cd56
commit 5a3e325742
10 changed files with 104 additions and 15 deletions

View file

@ -60,6 +60,20 @@ var (
"TLS_CHACHA20_POLY1305_SHA256": tls.TLS_CHACHA20_POLY1305_SHA256,
"TLS_FALLBACK_SCSV": tls.TLS_FALLBACK_SCSV,
}
// CurveIDs is a Map of TLS elliptic curves from crypto/tls
// Available CurveIDs defined at https://godoc.org/crypto/tls#CurveID,
// also allowing rfc names defined at https://tools.ietf.org/html/rfc8446#section-4.2.7
CurveIDs = map[string]tls.CurveID{
`secp256r1`: tls.CurveP256,
`CurveP256`: tls.CurveP256,
`secp384r1`: tls.CurveP384,
`CurveP384`: tls.CurveP384,
`secp521r1`: tls.CurveP521,
`CurveP521`: tls.CurveP521,
`x25519`: tls.X25519,
`X25519`: tls.X25519,
}
)
// Certificate holds a SSL cert/key pair

View file

@ -16,11 +16,12 @@ type ClientAuth struct {
// Options configures TLS for an entry point
type Options struct {
MinVersion string `json:"minVersion,omitempty" toml:"minVersion,omitempty" yaml:"minVersion,omitempty" export:"true"`
MaxVersion string `json:"maxVersion,omitempty" toml:"maxVersion,omitempty" yaml:"maxVersion,omitempty" export:"true"`
CipherSuites []string `json:"cipherSuites,omitempty" toml:"cipherSuites,omitempty" yaml:"cipherSuites,omitempty"`
ClientAuth ClientAuth `json:"clientAuth,omitempty" toml:"clientAuth,omitempty" yaml:"clientAuth,omitempty"`
SniStrict bool `json:"sniStrict,omitempty" toml:"sniStrict,omitempty" yaml:"sniStrict,omitempty" export:"true"`
MinVersion string `json:"minVersion,omitempty" toml:"minVersion,omitempty" yaml:"minVersion,omitempty" export:"true"`
MaxVersion string `json:"maxVersion,omitempty" toml:"maxVersion,omitempty" yaml:"maxVersion,omitempty" export:"true"`
CipherSuites []string `json:"cipherSuites,omitempty" toml:"cipherSuites,omitempty" yaml:"cipherSuites,omitempty"`
CurvePreferences []string `json:"curvePreferences,omitempty" toml:"curvePreferences,omitempty" yaml:"curvePreferences,omitempty"`
ClientAuth ClientAuth `json:"clientAuth,omitempty" toml:"clientAuth,omitempty" yaml:"clientAuth,omitempty"`
SniStrict bool `json:"sniStrict,omitempty" toml:"sniStrict,omitempty" yaml:"sniStrict,omitempty" export:"true"`
}
// +k8s:deepcopy-gen=true

View file

@ -211,7 +211,7 @@ func buildTLSConfig(tlsOption Options) (*tls.Config, error) {
}
}
// Set the minimum TLS version if set in the config TOML
// Set the minimum TLS version if set in the config
if minConst, exists := MinVersion[tlsOption.MinVersion]; exists {
conf.PreferServerCipherSuites = true
conf.MinVersion = minConst
@ -223,7 +223,7 @@ func buildTLSConfig(tlsOption Options) (*tls.Config, error) {
conf.MaxVersion = maxConst
}
// Set the list of CipherSuites if set in the config TOML
// Set the list of CipherSuites if set in the config
if tlsOption.CipherSuites != nil {
// if our list of CipherSuites is defined in the entryPoint config, we can re-initialize the suites list as empty
conf.CipherSuites = make([]uint16, 0)
@ -237,6 +237,20 @@ func buildTLSConfig(tlsOption Options) (*tls.Config, error) {
}
}
// Set the list of CurvePreferences/CurveIDs if set in the config
if tlsOption.CurvePreferences != nil {
conf.CurvePreferences = make([]tls.CurveID, 0)
// if our list of CurvePreferences/CurveIDs is defined in the config, we can re-initialize the list as empty
for _, curve := range tlsOption.CurvePreferences {
if curveID, exists := CurveIDs[curve]; exists {
conf.CurvePreferences = append(conf.CurvePreferences, curveID)
} else {
// CurveID listed in the toml does not exist in our listed
return nil, fmt.Errorf("invalid CurveID in curvePreferences: %s", curve)
}
}
}
return conf, nil
}

View file

@ -79,6 +79,11 @@ func (in *Options) DeepCopyInto(out *Options) {
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.CurvePreferences != nil {
in, out := &in.CurvePreferences, &out.CurvePreferences
*out = make([]string, len(*in))
copy(*out, *in)
}
in.ClientAuth.DeepCopyInto(&out.ClientAuth)
return
}