This is an automated email from the ASF dual-hosted git repository.
tianxiaoliang pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/servicecomb-service-center.git
The following commit(s) were added to refs/heads/master by this push:
new 1c4f8f3 Support TLS 1.3 (#582)
1c4f8f3 is described below
commit 1c4f8f30f1a0cef0bf3ae0cba378e7e798757e1e
Author: humingcheng <humingcheng1...@163.com>
AuthorDate: Wed Aug 28 14:11:52 2019 +0800
Support TLS 1.3 (#582)
---
docs/security-tls.md | 2 +-
etc/conf/app.conf | 2 +-
pkg/rest/client.go | 4 +---
pkg/tlsutil/common.go | 44 ++++++++++++++++++++----------------
pkg/tlsutil/common_test.go | 10 ++++++++
pkg/tlsutil/config.go | 37 +++++++++++++++---------------
pkg/tlsutil/tls13.go | 26 +++++++++++++++++++++
pkg/tlsutil/tlsutil.go | 31 ++++++++++++-------------
pkg/tlsutil/tlsutil_test.go | 31 ++++++++++++-------------
server/plugin/pkg/tls/buildin/tls.go | 4 ++--
10 files changed, 114 insertions(+), 77 deletions(-)
diff --git a/docs/security-tls.md b/docs/security-tls.md
index f0a45b0..1ce23ef 100644
--- a/docs/security-tls.md
+++ b/docs/security-tls.md
@@ -14,5 +14,5 @@ Please modify the conf/app.conf before start up SC
1. ssl_mode: Enabled SSL/TLS mode. [0, 1]
1. ssl_verify_client: Whether the SC verify client(including etcd server). [0,
1]
-1. ssl_protocols: Minimal SSL/TLS protocol version. ["TLSv1.0", "TLSv1.1",
"TLSv1.2"]
+1. ssl_min_version: Minimal SSL/TLS protocol version. ["TLSv1.0", "TLSv1.1",
"TLSv1.2", "TLSv1.3"], based on Go version
1. ssl_ciphers: A list of cipher suite. By default, uses
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
diff --git a/etc/conf/app.conf b/etc/conf/app.conf
index 0e1e9ba..ff85148 100644
--- a/etc/conf/app.conf
+++ b/etc/conf/app.conf
@@ -136,7 +136,7 @@ ssl_plugin = ""
ssl_mode = 0
ssl_verify_client = 1
# minimal tls protocol, [TLSv1.0, TLSv1.1, TLSv1.2]
-ssl_protocols = TLSv1.2
+ssl_min_version = TLSv1.2
ssl_ciphers =
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
###################################################################
diff --git a/pkg/rest/client.go b/pkg/rest/client.go
index c0ea997..96fc92d 100644
--- a/pkg/rest/client.go
+++ b/pkg/rest/client.go
@@ -45,8 +45,6 @@ var defaultURLClientOption = URLClientOption{
ConnsPerHost: DEFAULT_CONN_POOL_PER_HOST_SIZE,
}
-var defaultClientTLSOptions = tlsutil.DefaultClientTLSOptions()
-
type URLClientOption struct {
SSLEnabled bool
Compressed bool
@@ -213,7 +211,7 @@ func GetURLClient(o URLClientOption) (client *URLClient,
err error) {
}
if option.SSLEnabled {
- opts := append(defaultClientTLSOptions,
+ opts := append(tlsutil.DefaultClientTLSOptions(),
tlsutil.WithVerifyPeer(option.VerifyPeer),
tlsutil.WithCA(option.CAFile),
tlsutil.WithCert(option.CertFile),
diff --git a/pkg/tlsutil/common.go b/pkg/tlsutil/common.go
index ac4c311..061cb44 100644
--- a/pkg/tlsutil/common.go
+++ b/pkg/tlsutil/common.go
@@ -1,19 +1,18 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
+// Licensed to the Apache Software Foundation (ASF) under one or more
+// contributor license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright ownership.
+// The ASF licenses this file to You under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance with
+// the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
package tlsutil
import (
@@ -35,10 +34,17 @@ var TLS_VERSION_MAP = map[string]uint16{
"TLSv1.2": tls.VersionTLS12,
}
-var TLS_CIPHER_SUITE []uint16
+var cipherSuite []uint16
+
+// MaxSupportedTLSVersion is the max supported TLS version
+var MaxSupportedTLSVersion uint16 = tls.VersionTLS12
-func init() {
+func TLSCipherSuits() []uint16 {
+ if cipherSuite != nil {
+ return cipherSuite
+ }
for _, c := range TLS_CIPHER_SUITE_MAP {
- TLS_CIPHER_SUITE = append(TLS_CIPHER_SUITE, c)
+ cipherSuite = append(cipherSuite, c)
}
+ return cipherSuite
}
diff --git a/pkg/tlsutil/common_test.go b/pkg/tlsutil/common_test.go
new file mode 100644
index 0000000..7378922
--- /dev/null
+++ b/pkg/tlsutil/common_test.go
@@ -0,0 +1,10 @@
+package tlsutil
+
+import "testing"
+
+func TestTLSCipherSuits(t *testing.T) {
+ suits := TLSCipherSuits()
+ if len(suits) <= 0 {
+ t.Fatalf("Get TLSCipherSuits failed")
+ }
+}
diff --git a/pkg/tlsutil/config.go b/pkg/tlsutil/config.go
index 60b6246..86f57e9 100644
--- a/pkg/tlsutil/config.go
+++ b/pkg/tlsutil/config.go
@@ -1,19 +1,18 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
+// Licensed to the Apache Software Foundation (ASF) under one or more
+// contributor license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright ownership.
+// The ASF licenses this file to You under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance with
+// the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
package tlsutil
import (
@@ -56,14 +55,14 @@ func DefaultClientTLSOptions() []SSLConfigOption {
return []SSLConfigOption{
WithVerifyPeer(true),
WithVerifyHostName(true),
- WithVersion(tls.VersionTLS12, tls.VersionTLS12),
+ WithVersion(tls.VersionTLS12, MaxSupportedTLSVersion),
}
}
func DefaultServerTLSOptions() []SSLConfigOption {
return []SSLConfigOption{
WithVerifyPeer(true),
- WithVersion(tls.VersionTLS12, tls.VersionTLS12),
- WithCipherSuits(TLS_CIPHER_SUITE),
+ WithVersion(tls.VersionTLS12, MaxSupportedTLSVersion),
+ WithCipherSuits(TLSCipherSuits()),
}
}
diff --git a/pkg/tlsutil/tls13.go b/pkg/tlsutil/tls13.go
new file mode 100644
index 0000000..75cd211
--- /dev/null
+++ b/pkg/tlsutil/tls13.go
@@ -0,0 +1,26 @@
+// Licensed to the Apache Software Foundation (ASF) under one or more
+// contributor license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright ownership.
+// The ASF licenses this file to You under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance with
+// the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// +build go1.12
+
+package tlsutil
+
+import "crypto/tls"
+
+func init() {
+ // Add TLS 1.3 version
+ TLS_VERSION_MAP["TLSv1.3"] = tls.VersionTLS13
+ MaxSupportedTLSVersion = tls.VersionTLS13
+}
diff --git a/pkg/tlsutil/tlsutil.go b/pkg/tlsutil/tlsutil.go
index c131b8e..87f6992 100644
--- a/pkg/tlsutil/tlsutil.go
+++ b/pkg/tlsutil/tlsutil.go
@@ -1,19 +1,18 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
+// Licensed to the Apache Software Foundation (ASF) under one or more
+// contributor license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright ownership.
+// The ASF licenses this file to You under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance with
+// the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
package tlsutil
import (
diff --git a/pkg/tlsutil/tlsutil_test.go b/pkg/tlsutil/tlsutil_test.go
index a1c88a6..6f9e367 100644
--- a/pkg/tlsutil/tlsutil_test.go
+++ b/pkg/tlsutil/tlsutil_test.go
@@ -1,19 +1,18 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
+// Licensed to the Apache Software Foundation (ASF) under one or more
+// contributor license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright ownership.
+// The ASF licenses this file to You under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance with
+// the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
package tlsutil
import (
diff --git a/server/plugin/pkg/tls/buildin/tls.go
b/server/plugin/pkg/tls/buildin/tls.go
index cc45b5d..96f75da 100644
--- a/server/plugin/pkg/tls/buildin/tls.go
+++ b/server/plugin/pkg/tls/buildin/tls.go
@@ -78,7 +78,7 @@ func GetClientTLSConfig() (_ *tls.Config, err error) {
tlsutil.WithVersion(
tlsutil.ParseSSLProtocol(
beego.AppConfig.DefaultString("ssl_client_min_version",
core.ServerInfo.Config.SslMinVersion)),
- tls.VersionTLS12),
+ tlsutil.MaxSupportedTLSVersion),
tlsutil.WithCipherSuits(tlsutil.ParseDefaultSSLCipherSuites(beego.AppConfig.String("ssl_client_ciphers"))),
tlsutil.WithKeyPass(passphase),
tlsutil.WithCA(GetSSLPath("trust.cer")),
@@ -108,7 +108,7 @@ func GetServerTLSConfig() (_ *tls.Config, err error) {
opts := append(tlsutil.DefaultServerTLSOptions(),
tlsutil.WithVerifyPeer(core.ServerInfo.Config.SslVerifyPeer),
-
tlsutil.WithVersion(tlsutil.ParseSSLProtocol(core.ServerInfo.Config.SslMinVersion),
tls.VersionTLS12),
+
tlsutil.WithVersion(tlsutil.ParseSSLProtocol(core.ServerInfo.Config.SslMinVersion),
tlsutil.MaxSupportedTLSVersion),
tlsutil.WithCipherSuits(tlsutil.ParseDefaultSSLCipherSuites(core.ServerInfo.Config.SslCiphers)),
tlsutil.WithKeyPass(passphase),
tlsutil.WithCA(GetSSLPath("trust.cer")),
