whitelist for ciphersuites available for TLS

TykTechnologies · Jan 11, 2018 · 0189540 · 0189540
1 parent 5984788
commit 0189540
Show file tree

Hide file tree

Showing 4 changed files with 54 additions and 5 deletions.
diff --git a/cert.go b/cert.go
@@ -22,6 +22,31 @@ type APIAllCertificates struct {
 	CertIDs []string `json:"certs"`
 }
 
+var cipherSuites = map[string]uint16{
+	"TLS_RSA_WITH_RC4_128_SHA":                0x0005,
+	"TLS_RSA_WITH_3DES_EDE_CBC_SHA":           0x000a,
+	"TLS_RSA_WITH_AES_128_CBC_SHA":            0x002f,
+	"TLS_RSA_WITH_AES_256_CBC_SHA":            0x0035,
+	"TLS_RSA_WITH_AES_128_CBC_SHA256":         0x003c,
+	"TLS_RSA_WITH_AES_128_GCM_SHA256":         0x009c,
+	"TLS_RSA_WITH_AES_256_GCM_SHA384":         0x009d,
+	"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA":        0xc007,
+	"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA":    0xc009,
+	"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA":    0xc00a,
+	"TLS_ECDHE_RSA_WITH_RC4_128_SHA":          0xc011,
+	"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA":     0xc012,
+	"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA":      0xc013,
+	"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA":      0xc014,
+	"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256": 0xc023,
+	"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256":   0xc027,
+	"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256":   0xc02f,
+	"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256": 0xc02b,
+	"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384":   0xc030,
+	"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384": 0xc02c,
+	"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305":    0xcca8,
+	"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305":  0xcca9,
+}
+
 func getUpstreamCertificate(host string, spec *APISpec) (cert *tls.Certificate) {
 	var certID string
 
@@ -177,3 +202,14 @@ func certHandler(w http.ResponseWriter, r *http.Request) {
 		doJSONWrite(w, 200, &apiStatusMessage{"ok", "removed"})
 	}
 }
+
+func getCipherAliases(ciphers []string) (cipherCodes []uint16) {
+	for k, v := range cipherSuites {
+		for _, str := range ciphers {
+			if str == k {
+				cipherCodes = append(cipherCodes, v)
+			}
+		}
+	}
+	return cipherCodes
+}
diff --git a/config/config.go b/config/config.go
@@ -126,6 +126,7 @@ type HttpServerOptionsConfig struct {
 	MinVersion            uint16     `json:"min_version"`
 	FlushInterval         int        `json:"flush_interval"`
 	SkipURLCleaning       bool       `json:"skip_url_cleaning"`
+	Ciphers               []string   `json:"ciphers"`
 }
 
 type AuthOverrideConf struct {

diff --git a/lint/schema.go b/lint/schema.go
@@ -345,7 +345,13 @@ const confSchema = `{
 				"items": {
 					"type": "string"
 				}
-			}
+			},
+			"ciphers":{
+				"type": ["array", "null"],
+				"items": {
+					"type": "string"
+				}
+			},
 		}
 	},
 	"legacy_enable_allowance_countdown": {

diff --git a/main.go b/main.go
@@ -20,10 +20,10 @@ import (
 
 	"github.com/Sirupsen/logrus"
 	logrus_syslog "github.com/Sirupsen/logrus/hooks/syslog"
-	"github.com/bshuster-repo/logrus-logstash-hook"
+	logstashHook "github.com/bshuster-repo/logrus-logstash-hook"
 	"github.com/evalphobia/logrus_sentry"
 	"github.com/facebookgo/pidfile"
-	"github.com/gemnasium/logrus-graylog-hook"
+	graylogHook "github.com/gemnasium/logrus-graylog-hook"
 	"github.com/gorilla/mux"
 	"github.com/justinas/alice"
 	"github.com/lonelycode/gorpc"
@@ -72,6 +72,7 @@ var (
 	controlRouter *mux.Router
 	LE_MANAGER    letsencrypt.Manager
 	LE_FIRSTRUN   bool
+	tlsCiphers    []uint16
 
 	NodeID string
 
@@ -776,7 +777,7 @@ func setupLogger() {
 		log.WithFields(logrus.Fields{
 			"prefix": "main",
 		}).Debug("Enabling Graylog support")
-		hook := graylog.NewGraylogHook(config.Global.GraylogNetworkAddr,
+		hook := graylogHook.NewGraylogHook(config.Global.GraylogNetworkAddr,
 			map[string]interface{}{"tyk-module": "gateway"})
 
 		log.Hooks.Add(hook)
@@ -791,7 +792,7 @@ func setupLogger() {
 		log.WithFields(logrus.Fields{
 			"prefix": "main",
 		}).Debug("Enabling Logstash support")
-		hook, err := logrus_logstash.NewHook(config.Global.LogstashTransport,
+		hook, err := logstashHook.NewHook(config.Global.LogstashTransport,
 			config.Global.LogstashNetworkAddr,
 			"tyk-gateway")
 
@@ -1204,12 +1205,17 @@ func generateListener(listenPort int) (net.Listener, error) {
 			"prefix": "main",
 		}).Info("--> Using SSL (https)")
 
+		if config.Global.HttpServerOptions.Ciphers != nil {
+			tlsCiphers = getCipherAliases(config.Global.HttpServerOptions.Ciphers)
+		}
+
 		tlsConfig := tls.Config{
 			GetCertificate:     dummyGetCertificate,
 			ServerName:         config.Global.HttpServerOptions.ServerName,
 			MinVersion:         config.Global.HttpServerOptions.MinVersion,
 			ClientAuth:         tls.RequestClientCert,
 			InsecureSkipVerify: config.Global.HttpServerOptions.SSLInsecureSkipVerify,
+			CipherSuites:       tlsCiphers,
 		}
 
 		tlsConfig.GetConfigForClient = getTLSConfigForClient(&tlsConfig, listenPort)