(yunikorn-k8shim) branch master updated: [YUNIKORN-2456] Remove weak ciphers (#795)

Tue, 27 Feb 2024 02:10:13 -0800 

This is an automated email from the ASF dual-hosted git repository.

wilfreds pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/yunikorn-k8shim.git


The following commit(s) were added to refs/heads/master by this push:
     new 288661cb [YUNIKORN-2456] Remove weak ciphers (#795)
288661cb is described below

commit 288661cb3f4628832949ad780353357d17843f49
Author: Wilfred Spiegelenburg <[email protected]>
AuthorDate: Tue Feb 27 21:09:52 2024 +1100

    [YUNIKORN-2456] Remove weak ciphers (#795)
    
    Set limited ciphers on TLS connections, removing weak ciphers.
    Based on the list maintained in the go standard TLS library.
    
    Closes: #795
    
    Signed-off-by: Wilfred Spiegelenburg <[email protected]>
---
 pkg/cmd/admissioncontroller/main.go | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/pkg/cmd/admissioncontroller/main.go 
b/pkg/cmd/admissioncontroller/main.go
index 851ad036..e96dd1b0 100644
--- a/pkg/cmd/admissioncontroller/main.go
+++ b/pkg/cmd/admissioncontroller/main.go
@@ -21,6 +21,7 @@ package main
 import (
        "context"
        "crypto/tls"
+       "errors"
        "fmt"
        "net/http"
        "os"
@@ -142,14 +143,17 @@ func (wh *WebHook) Startup(certs *tls.Certificate) {
        wh.server = &http.Server{
                Addr: fmt.Sprintf(":%v", wh.port),
                TLSConfig: &tls.Config{
-                       MinVersion:   tls.VersionTLS12,
-                       Certificates: []tls.Certificate{*certs}},
+                       MinVersion:   tls.VersionTLS12,           // No SSL, 
TLS 1.0 or TLS 1.1 support
+                       NextProtos:   []string{"h2", "http/1.1"}, // prefer 
HTTP/2 over HTTP/1.1
+                       CipherSuites: wh.getCipherSuites(),       // limit 
cipher suite to secure ones
+                       Certificates: []tls.Certificate{*certs},
+               },
                Handler: mux,
        }
 
        go func() {
                if err := wh.server.ListenAndServeTLS("", ""); err != nil {
-                       if err == http.ErrServerClosed {
+                       if errors.Is(err, http.ErrServerClosed) {
                                log.Log(log.Admission).Info("existing server 
closed")
                        } else {
                                log.Log(log.Admission).Fatal("failed to start 
admission controller", zap.Error(err))
@@ -175,3 +179,13 @@ func (wh *WebHook) Shutdown() {
                wh.server = nil
        }
 }
+
+// getCipherSuites returns the IDs of the currently considered secure ciphers.
+// Order of choice is defined in the cipherSuitesPreferenceOrder
+func (wh *WebHook) getCipherSuites() []uint16 {
+       var ids []uint16
+       for _, cs := range tls.CipherSuites() {
+               ids = append(ids, cs.ID)
+       }
+       return ids
+}


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to