-
Notifications
You must be signed in to change notification settings - Fork 67
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add tls-min-version parameter #1103
Conversation
if err := f.Value.Set(value); err != nil { | ||
flagErrors = errors.Join(flagErrors, fmt.Errorf("failed to set -%s: %v", f.Name, err)) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Previously, a wrong value set in an Environment variable was not raising an error
For instance, this was not failing:
$ EPR_FEATURE_STORAGE_INDEXER=aaddb ./package-registry`
And now, that same command would raise an error:
$ EPR_FEATURE_STORAGE_INDEXER=aaddb ./package-registry
2023/10/25 18:29:20 failed to set -feature-storage-indexer: parse error
main.go
Outdated
tlsMinVersion string | ||
tlsMinVersionCode uint16 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Keep two values to be easier to compare if it is set or not this parameter.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Umm, why not using a tls value directly here? We would also have the members for further uses.
tlsMinVersion string | |
tlsMinVersionCode uint16 | |
tlsMinVersion *tlsMinVersionValue |
It could implement an IsZero() bool
method to make it easy to check if it is set or not 🙂
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, added only some nitpicking.
Btw, not related to this PR, but I have seen in the logs that the server errors are logged using a different format, I wonder if we could use the same logger for everything:
{"log.level":"info","@timestamp":"2023-10-25T17:43:33.554Z","log.logger":"http","message":"HEAD / HTTP/2.0","source.address":"172.17.0.1","http.request.method":"HEAD","url.path":"/","url.domain":"localhost","http.response.code":200,"http.response.body.bytes":72,"event.duration":29288,"source.ip":"172.17.0.1","user_agent.original":"curl/7.81.0","url.port":8080,"ecs.version":"1.6.0"}
2023/10/25 17:43:39 http: TLS handshake error from 172.17.0.1:53032: remote error: tls: protocol version not supported
2023/10/25 17:43:43 http: TLS handshake error from 172.17.0.1:37008: remote error: tls: protocol version not supported
main.go
Outdated
tlsMinVersion string | ||
tlsMinVersionCode uint16 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Umm, why not using a tls value directly here? We would also have the members for further uses.
tlsMinVersion string | |
tlsMinVersionCode uint16 | |
tlsMinVersion *tlsMinVersionValue |
It could implement an IsZero() bool
method to make it easy to check if it is set or not 🙂
flags.go
Outdated
func (t tlsMinVersionValue) String() string { | ||
if t.version != nil { | ||
return *t.version | ||
} | ||
return "" | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we store only the code in the value, we could have also a map here to convert it back to string.
func (t tlsMinVersionValue) String() string { | |
if t.version != nil { | |
return *t.version | |
} | |
return "" | |
} | |
func (t tlsMinVersionValue) String() string { | |
switch tlsMinVersionValue { | |
case tls.VersionTLS10: | |
return "1.0" | |
case tls.VersionTLS11: | |
return "1.1" | |
case tls.VersionTLS12: | |
return "1.2" | |
case tls.VersionTLS13: | |
return "1.3" | |
default: | |
return "" | |
} | |
} |
Tested with the For instance, using PORT STATE SERVICE
8080/tcp open http-proxy
| ssl-enum-ciphers:
| TLSv1.3:
| ciphers:
| TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
| TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
| cipher preference: server
|_ least strength: A
Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds Other example with PORT STATE SERVICE
8080/tcp open http-proxy
| ssl-enum-ciphers:
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| TLSv1.3:
| ciphers:
| TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
| TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
| cipher preference: server
|_ least strength: C
Nmap done: 1 IP address (1 host up) scanned in 0.24 seconds |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
flags.go
Outdated
type tlsVersionValue struct { | ||
version uint16 | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could it be directly an int?
type tlsVersionValue struct { | |
version uint16 | |
} | |
type tlsVersionValue uint16 |
main.go
Outdated
@@ -118,7 +117,7 @@ func main() { | |||
log.Fatal(err) | |||
} | |||
|
|||
if tlsMinVersion != "" { | |||
if tlsMinVersionValue.String() != "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Or
if tlsMinVersionValue.String() != "" { | |
if tlsMinVersionValue > 0 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could this one be changed as well as the other one below?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I missed this, sure
main.go
Outdated
@@ -118,7 +117,7 @@ func main() { | |||
log.Fatal(err) | |||
} | |||
|
|||
if tlsMinVersion != "" { | |||
if tlsMinVersionValue.String() != "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could this one be changed as well as the other one below?
Created issue for this |
💚 Build Succeeded
History
cc @mrodm |
Fixes #965
This PR adds a new parameter (and a new environment variable) to define the minimum TLS version supported.
If
-tls-min-version
is set, but-tls-cert
and-tls-key
are not specified , requests fail to package-registry service like this:How to test this
For instance, if package-registry is configured with EPR_TLS_MIN_VERSION=1.2 (or -tls-min-version 1.2):