This is an automated email from the ASF dual-hosted git repository.
rawlin pushed a commit to branch 4.1.x
in repository https://gitbox.apache.org/repos/asf/trafficcontrol.git
The following commit(s) were added to refs/heads/4.1.x by this push:
new 8d9b009 Update TO for minimum TLS version for 4.1 (#5059)
8d9b009 is described below
commit 8d9b009170c9264dfe50a5634ce77781854f0b2b
Author: Hank Beatty <[email protected]>
AuthorDate: Tue Sep 22 10:53:38 2020 -0400
Update TO for minimum TLS version for 4.1 (#5059)
This update allows an administrator to set a minimum TLS version for
Traffic Ops.
---
CHANGELOG.md | 7 +++++++
docs/source/admin/traffic_ops.rst | 6 ++++++
traffic_ops/app/conf/cdn.conf | 5 ++++-
traffic_ops/traffic_ops_golang/config/config.go | 6 +++++-
traffic_ops/traffic_ops_golang/traffic_ops_golang.go | 8 +++++++-
5 files changed, 29 insertions(+), 3 deletions(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 943c220..35556e9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,13 @@ All notable changes to this project will be documented in this
file.
The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
+## [4.1.1] - 2020-09-22
+### Added
+- Added the ability to set TLS config provided here:
https://golang.org/pkg/crypto/tls/#Config in Traffic Ops
+
+### Deprecated
+- Deprecated the `insecure` option in `traffic_ops_golang` in favor of
`"tls_config": { "InsecureSkipVerify": <bool> }`
+
## [4.1.0] - 2020-04-23
### Added
- Added support for use of ATS Slice plugin as an additonal option to range
request handling on HTTP/DNS DSes.
diff --git a/docs/source/admin/traffic_ops.rst
b/docs/source/admin/traffic_ops.rst
index 74de88d..463c567 100644
--- a/docs/source/admin/traffic_ops.rst
+++ b/docs/source/admin/traffic_ops.rst
@@ -397,6 +397,10 @@ This file deals with the configuration parameters of
running Traffic Ops itself.
:db_query_timeout_seconds: An optional field specifying a timeout on
database *transactions* (not actually single queries in most cases) within API
route handlers. Effectively this is a timeout on a single handler's ability to
interact with the Traffic Ops Database. Default if not specified is the value
of `DefaultDBQueryTimeoutSecs
<https://godoc.org/github.com/apache/trafficcontrol/traffic_ops/traffic_ops_golang/config#pkg-constants>`_.
:idle_timeout: An optional timeout in seconds for idle client
connections to Traffic Ops. If set to zero, the value of ``read_timeout`` will
be used instead. If both are zero, then the value of ``read_header_timeout``
will be used. If all three fields are zero, there is no timeout and connections
will be kept alive indefinitely - **not** recommended. Default if not specified
is zero.
:insecure: An optional boolean which, if set to ``true`` will cause
Traffic Ops to skip verification of client certificates whenever
necessary/possible. If set to ``false``, the normal verification behavior is
exhibited. Default if not specified is ``false``.
+
+ .. deprecated:: 5.0
+ Future versions of Traffic Ops will not support this
legacy configuration option, see tls_config: { InsecureSkipVerify: <bool> }
instead
+
:log_location_debug: This optional field, if specified, should either
be the location of a file to which debug-level output will be logged, or one of
the special strings ``"stdout"`` which indicates that STDOUT should be used,
``"stderr"`` which indicates that STDERR should be used or ``"null"`` which
indicates that no output of this level should be generated. An empty string
(``""``) and literally ``null`` are equivalent to ``"null"``. Default if not
specified is ``"null"``.
:log_location_error: This optional field, if specified, should either
be the location of a file to which error-level output will be logged, or one of
the special strings ``"stdout"`` which indicates that STDOUT should be used,
``"stderr"`` which indicates that STDERR should be used or ``"null"`` which
indicates that no output of this level should be generated. An empty string
(``""``) and literally ``null`` are equivalent to ``"null"``. Default if not
specified is ``"null"``. This field [...]
:log_location_event: This optional field, if specified, should either
be the location of a file to which event-level output will be logged, or one of
the special strings ``"stdout"`` which indicates that STDOUT should be used,
``"stderr"`` which indicates that STDERR should be used or ``"null"`` which
indicates that no output of this level should be generated. An empty string
(``""``) and literally ``null`` are equivalent to ``"null"``. Default if not
specified is ``"null"``.
@@ -441,6 +445,8 @@ This file deals with the configuration parameters of
running Traffic Ops itself.
:disabled_routes: A list of API route IDs to disable. Requests
matching these routes will receive a 503 response. To find the route ID for a
given path you would like to disable, run ``./traffic_ops_golang`` using the
:option:`--api-routes` option to view all the route information, including
route IDs and paths.
:ignore_unknown_routes: If ``false`` (default) return an error
and prevent startup if unknown route IDs are found. Otherwise, log a warning
and continue startup.
+ :tls_config: An optional stanza for TLS configuration. The values of
which conform to the :godoc:`crypto/tls.Config` structure.
+
Example cdn.conf
''''''''''''''''
.. include:: ../../../traffic_ops/app/conf/cdn.conf
diff --git a/traffic_ops/app/conf/cdn.conf b/traffic_ops/app/conf/cdn.conf
index 5f68106..da2d8ba 100644
--- a/traffic_ops/app/conf/cdn.conf
+++ b/traffic_ops/app/conf/cdn.conf
@@ -39,7 +39,10 @@
"perl_routes": [],
"disabled_routes": []
},
- "profiling_enabled": false
+ "profiling_enabled": false,
+ "tls_config": {
+ "MinVersion": 769
+ }
},
"cors" : {
"access_control_allow_origin" : "*"
diff --git a/traffic_ops/traffic_ops_golang/config/config.go
b/traffic_ops/traffic_ops_golang/config/config.go
index 1e798c9..aa9774b 100644
--- a/traffic_ops/traffic_ops_golang/config/config.go
+++ b/traffic_ops/traffic_ops_golang/config/config.go
@@ -20,6 +20,7 @@ package config
*/
import (
+ "crypto/tls"
"encoding/json"
"errors"
"fmt"
@@ -69,6 +70,9 @@ type ConfigHypnotoad struct {
// ConfigTrafficOpsGolang carries settings specific to traffic_ops_golang
server
type ConfigTrafficOpsGolang struct {
+ // Deprecated in 5.0
+ Insecure bool `json:"insecure"`
+ // end deprecated
Port string `json:"port"`
ProxyTimeout int
`json:"proxy_timeout"`
ProxyKeepAlive int
`json:"proxy_keep_alive"`
@@ -84,7 +88,6 @@ type ConfigTrafficOpsGolang struct {
LogLocationInfo string
`json:"log_location_info"`
LogLocationDebug string
`json:"log_location_debug"`
LogLocationEvent string
`json:"log_location_event"`
- Insecure bool `json:"insecure"`
MaxDBConnections int
`json:"max_db_connections"`
DBMaxIdleConnections int
`json:"db_max_idle_connections"`
DBConnMaxLifetimeSeconds int
`json:"db_conn_max_lifetime_seconds"`
@@ -99,6 +102,7 @@ type ConfigTrafficOpsGolang struct {
WhitelistedOAuthUrls []string
`json:"whitelisted_oauth_urls"`
OAuthClientSecret string
`json:"oauth_client_secret"`
RoutingBlacklist `json:"routing_blacklist"`
+ TLSConfig *tls.Config `json:"tls_config"`
// CRConfigUseRequestHost is whether to use the client request host
header in the CRConfig. If false, uses the tm.url parameter.
// This defaults to false. Traffic Ops used to always use the host
header, setting this true will resume that legacy behavior.
diff --git a/traffic_ops/traffic_ops_golang/traffic_ops_golang.go
b/traffic_ops/traffic_ops_golang/traffic_ops_golang.go
index 1c24aba..13dcd65 100644
--- a/traffic_ops/traffic_ops_golang/traffic_ops_golang.go
+++ b/traffic_ops/traffic_ops_golang/traffic_ops_golang.go
@@ -168,13 +168,19 @@ func main() {
server := &http.Server{
Addr: ":" + cfg.Port,
- TLSConfig: &tls.Config{InsecureSkipVerify:
cfg.Insecure},
+ TLSConfig: cfg.TLSConfig,
ReadTimeout: time.Duration(cfg.ReadTimeout) * time.Second,
ReadHeaderTimeout: time.Duration(cfg.ReadHeaderTimeout) *
time.Second,
WriteTimeout: time.Duration(cfg.WriteTimeout) *
time.Second,
IdleTimeout: time.Duration(cfg.IdleTimeout) * time.Second,
ErrorLog: log.Error,
}
+ if server.TLSConfig == nil {
+ server.TLSConfig = &tls.Config{}
+ }
+ // Deprecated in 5.0
+ server.TLSConfig.InsecureSkipVerify = cfg.Insecure
+ // end deprecated block
go func() {
if cfg.KeyPath == "" {
