This is an automated email from the ASF dual-hosted git repository. tianxiaoliang pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/servicecomb-service-center.git
The following commit(s) were added to refs/heads/master by this push: new 1c4f8f3 Support TLS 1.3 (#582) 1c4f8f3 is described below commit 1c4f8f30f1a0cef0bf3ae0cba378e7e798757e1e Author: humingcheng <humingcheng1...@163.com> AuthorDate: Wed Aug 28 14:11:52 2019 +0800 Support TLS 1.3 (#582) --- docs/security-tls.md | 2 +- etc/conf/app.conf | 2 +- pkg/rest/client.go | 4 +--- pkg/tlsutil/common.go | 44 ++++++++++++++++++++---------------- pkg/tlsutil/common_test.go | 10 ++++++++ pkg/tlsutil/config.go | 37 +++++++++++++++--------------- pkg/tlsutil/tls13.go | 26 +++++++++++++++++++++ pkg/tlsutil/tlsutil.go | 31 ++++++++++++------------- pkg/tlsutil/tlsutil_test.go | 31 ++++++++++++------------- server/plugin/pkg/tls/buildin/tls.go | 4 ++-- 10 files changed, 114 insertions(+), 77 deletions(-) diff --git a/docs/security-tls.md b/docs/security-tls.md index f0a45b0..1ce23ef 100644 --- a/docs/security-tls.md +++ b/docs/security-tls.md @@ -14,5 +14,5 @@ Please modify the conf/app.conf before start up SC 1. ssl_mode: Enabled SSL/TLS mode. [0, 1] 1. ssl_verify_client: Whether the SC verify client(including etcd server). [0, 1] -1. ssl_protocols: Minimal SSL/TLS protocol version. ["TLSv1.0", "TLSv1.1", "TLSv1.2"] +1. ssl_min_version: Minimal SSL/TLS protocol version. ["TLSv1.0", "TLSv1.1", "TLSv1.2", "TLSv1.3"], based on Go version 1. ssl_ciphers: A list of cipher suite. By default, uses TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 diff --git a/etc/conf/app.conf b/etc/conf/app.conf index 0e1e9ba..ff85148 100644 --- a/etc/conf/app.conf +++ b/etc/conf/app.conf @@ -136,7 +136,7 @@ ssl_plugin = "" ssl_mode = 0 ssl_verify_client = 1 # minimal tls protocol, [TLSv1.0, TLSv1.1, TLSv1.2] -ssl_protocols = TLSv1.2 +ssl_min_version = TLSv1.2 ssl_ciphers = TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 ################################################################### diff --git a/pkg/rest/client.go b/pkg/rest/client.go index c0ea997..96fc92d 100644 --- a/pkg/rest/client.go +++ b/pkg/rest/client.go @@ -45,8 +45,6 @@ var defaultURLClientOption = URLClientOption{ ConnsPerHost: DEFAULT_CONN_POOL_PER_HOST_SIZE, } -var defaultClientTLSOptions = tlsutil.DefaultClientTLSOptions() - type URLClientOption struct { SSLEnabled bool Compressed bool @@ -213,7 +211,7 @@ func GetURLClient(o URLClientOption) (client *URLClient, err error) { } if option.SSLEnabled { - opts := append(defaultClientTLSOptions, + opts := append(tlsutil.DefaultClientTLSOptions(), tlsutil.WithVerifyPeer(option.VerifyPeer), tlsutil.WithCA(option.CAFile), tlsutil.WithCert(option.CertFile), diff --git a/pkg/tlsutil/common.go b/pkg/tlsutil/common.go index ac4c311..061cb44 100644 --- a/pkg/tlsutil/common.go +++ b/pkg/tlsutil/common.go @@ -1,19 +1,18 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// Licensed to the Apache Software Foundation (ASF) under one or more +// contributor license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright ownership. +// The ASF licenses this file to You under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance with +// the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + package tlsutil import ( @@ -35,10 +34,17 @@ var TLS_VERSION_MAP = map[string]uint16{ "TLSv1.2": tls.VersionTLS12, } -var TLS_CIPHER_SUITE []uint16 +var cipherSuite []uint16 + +// MaxSupportedTLSVersion is the max supported TLS version +var MaxSupportedTLSVersion uint16 = tls.VersionTLS12 -func init() { +func TLSCipherSuits() []uint16 { + if cipherSuite != nil { + return cipherSuite + } for _, c := range TLS_CIPHER_SUITE_MAP { - TLS_CIPHER_SUITE = append(TLS_CIPHER_SUITE, c) + cipherSuite = append(cipherSuite, c) } + return cipherSuite } diff --git a/pkg/tlsutil/common_test.go b/pkg/tlsutil/common_test.go new file mode 100644 index 0000000..7378922 --- /dev/null +++ b/pkg/tlsutil/common_test.go @@ -0,0 +1,10 @@ +package tlsutil + +import "testing" + +func TestTLSCipherSuits(t *testing.T) { + suits := TLSCipherSuits() + if len(suits) <= 0 { + t.Fatalf("Get TLSCipherSuits failed") + } +} diff --git a/pkg/tlsutil/config.go b/pkg/tlsutil/config.go index 60b6246..86f57e9 100644 --- a/pkg/tlsutil/config.go +++ b/pkg/tlsutil/config.go @@ -1,19 +1,18 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// Licensed to the Apache Software Foundation (ASF) under one or more +// contributor license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright ownership. +// The ASF licenses this file to You under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance with +// the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + package tlsutil import ( @@ -56,14 +55,14 @@ func DefaultClientTLSOptions() []SSLConfigOption { return []SSLConfigOption{ WithVerifyPeer(true), WithVerifyHostName(true), - WithVersion(tls.VersionTLS12, tls.VersionTLS12), + WithVersion(tls.VersionTLS12, MaxSupportedTLSVersion), } } func DefaultServerTLSOptions() []SSLConfigOption { return []SSLConfigOption{ WithVerifyPeer(true), - WithVersion(tls.VersionTLS12, tls.VersionTLS12), - WithCipherSuits(TLS_CIPHER_SUITE), + WithVersion(tls.VersionTLS12, MaxSupportedTLSVersion), + WithCipherSuits(TLSCipherSuits()), } } diff --git a/pkg/tlsutil/tls13.go b/pkg/tlsutil/tls13.go new file mode 100644 index 0000000..75cd211 --- /dev/null +++ b/pkg/tlsutil/tls13.go @@ -0,0 +1,26 @@ +// Licensed to the Apache Software Foundation (ASF) under one or more +// contributor license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright ownership. +// The ASF licenses this file to You under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance with +// the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// +build go1.12 + +package tlsutil + +import "crypto/tls" + +func init() { + // Add TLS 1.3 version + TLS_VERSION_MAP["TLSv1.3"] = tls.VersionTLS13 + MaxSupportedTLSVersion = tls.VersionTLS13 +} diff --git a/pkg/tlsutil/tlsutil.go b/pkg/tlsutil/tlsutil.go index c131b8e..87f6992 100644 --- a/pkg/tlsutil/tlsutil.go +++ b/pkg/tlsutil/tlsutil.go @@ -1,19 +1,18 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// Licensed to the Apache Software Foundation (ASF) under one or more +// contributor license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright ownership. +// The ASF licenses this file to You under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance with +// the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + package tlsutil import ( diff --git a/pkg/tlsutil/tlsutil_test.go b/pkg/tlsutil/tlsutil_test.go index a1c88a6..6f9e367 100644 --- a/pkg/tlsutil/tlsutil_test.go +++ b/pkg/tlsutil/tlsutil_test.go @@ -1,19 +1,18 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +// Licensed to the Apache Software Foundation (ASF) under one or more +// contributor license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright ownership. +// The ASF licenses this file to You under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance with +// the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + package tlsutil import ( diff --git a/server/plugin/pkg/tls/buildin/tls.go b/server/plugin/pkg/tls/buildin/tls.go index cc45b5d..96f75da 100644 --- a/server/plugin/pkg/tls/buildin/tls.go +++ b/server/plugin/pkg/tls/buildin/tls.go @@ -78,7 +78,7 @@ func GetClientTLSConfig() (_ *tls.Config, err error) { tlsutil.WithVersion( tlsutil.ParseSSLProtocol( beego.AppConfig.DefaultString("ssl_client_min_version", core.ServerInfo.Config.SslMinVersion)), - tls.VersionTLS12), + tlsutil.MaxSupportedTLSVersion), tlsutil.WithCipherSuits(tlsutil.ParseDefaultSSLCipherSuites(beego.AppConfig.String("ssl_client_ciphers"))), tlsutil.WithKeyPass(passphase), tlsutil.WithCA(GetSSLPath("trust.cer")), @@ -108,7 +108,7 @@ func GetServerTLSConfig() (_ *tls.Config, err error) { opts := append(tlsutil.DefaultServerTLSOptions(), tlsutil.WithVerifyPeer(core.ServerInfo.Config.SslVerifyPeer), - tlsutil.WithVersion(tlsutil.ParseSSLProtocol(core.ServerInfo.Config.SslMinVersion), tls.VersionTLS12), + tlsutil.WithVersion(tlsutil.ParseSSLProtocol(core.ServerInfo.Config.SslMinVersion), tlsutil.MaxSupportedTLSVersion), tlsutil.WithCipherSuits(tlsutil.ParseDefaultSSLCipherSuites(core.ServerInfo.Config.SslCiphers)), tlsutil.WithKeyPass(passphase), tlsutil.WithCA(GetSSLPath("trust.cer")),