diff options
| author |  Yong Tang <yong.tang.github@outlook.com>
| 2022-02-17 12:26:08 -0800 |
|---|---|---|
| committer |  GitHub <noreply@github.com>
| 2022-02-17 12:26:08 -0800 |
| commit | c0c72e589471ff8b1b069714a1c46a16891e22b3 (patch) | |
| tree | b8dd53cdee27e1a53a0b4579b23bb5d7a4eb1bd4 | |
| parent | f8a02aaf58f26ae1791092ca37ac469c74c41172 (diff) | |
| download | coredns-c0c72e589471ff8b1b069714a1c46a16891e22b3.tar.gz coredns-c0c72e589471ff8b1b069714a1c46a16891e22b3.tar.zst coredns-c0c72e589471ff8b1b069714a1c46a16891e22b3.zip | |
Harden tls on all places (#5184)
PR 2938 hardens tls though there are other places that uses TLS
as well and setTLSDefaults are not invoked in other paths.
This PR hardens tls on all places.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
| -rw-r--r-- | plugin/pkg/tls/tls.go | 26 | ||||
| -rw-r--r-- | plugin/tls/tls.go | 18 |
2 files changed, 24 insertions, 20 deletions
diff --git a/plugin/pkg/tls/tls.go b/plugin/pkg/tls/tls.go index 8d36d6823..cba25503e 100644 --- a/plugin/pkg/tls/tls.go +++ b/plugin/pkg/tls/tls.go @@ -11,6 +11,22 @@ import ( "time" ) +func setTLSDefaults(ctls *tls.Config) { + ctls.MinVersion = tls.VersionTLS12 + ctls.MaxVersion = tls.VersionTLS13 + ctls.CipherSuites = []uint16{ + tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, + tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, + tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + } +} + // NewTLSConfigFromArgs returns a TLS config based upon the passed // in list of arguments. Typically these come straight from the // Corefile. @@ -76,7 +92,10 @@ func NewTLSConfig(certPath, keyPath, caPath string) (*tls.Config, error) { return nil, err } - return &tls.Config{Certificates: []tls.Certificate{cert}, RootCAs: roots}, nil + tlsConfig := &tls.Config{Certificates: []tls.Certificate{cert}, RootCAs: roots} + setTLSDefaults(tlsConfig) + + return tlsConfig, nil } // NewTLSClientConfig returns a TLS config for a client connection @@ -87,7 +106,10 @@ func NewTLSClientConfig(caPath string) (*tls.Config, error) { return nil, err } - return &tls.Config{RootCAs: roots}, nil + tlsConfig := &tls.Config{RootCAs: roots} + setTLSDefaults(tlsConfig) + + return tlsConfig, nil } func loadRoots(caPath string) (*x509.CertPool, error) { diff --git a/plugin/tls/tls.go b/plugin/tls/tls.go index 930c5e702..2658159a9 100644 --- a/plugin/tls/tls.go +++ b/plugin/tls/tls.go @@ -19,22 +19,6 @@ func setup(c *caddy.Controller) error { return nil } -func setTLSDefaults(tls *ctls.Config) { - tls.MinVersion = ctls.VersionTLS12 - tls.MaxVersion = ctls.VersionTLS13 - tls.CipherSuites = []uint16{ - ctls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - ctls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - ctls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, - ctls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, - ctls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - ctls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - ctls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - ctls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - ctls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - } -} - func parseTLS(c *caddy.Controller) error { config := dnsserver.GetConfig(c) @@ -81,8 +65,6 @@ func parseTLS(c *caddy.Controller) error { // NewTLSConfigFromArgs only sets RootCAs, so we need to let ClientCAs refer to it. tls.ClientCAs = tls.RootCAs - setTLSDefaults(tls) - config.TLSConfig = tls } return nil |