From 0189540ff2a5ea51130059126040022877875670 Mon Sep 17 00:00:00 2001
From: joshblakeley <jtblakeley@gmail.com>
Date: Thu, 11 Jan 2018 11:09:20 +0000
Subject: [PATCH] whitelist for ciphersuites available for TLS

---
 cert.go          | 36 ++++++++++++++++++++++++++++++++++++
 config/config.go |  1 +
 lint/schema.go   |  8 +++++++-
 main.go          | 14 ++++++++++----
 4 files changed, 54 insertions(+), 5 deletions(-)

diff --git a/cert.go b/cert.go
index 24283f5f16c..acefa8fbd93 100644
--- a/cert.go
+++ b/cert.go
@@ -22,6 +22,31 @@ type APIAllCertificates struct {
 	CertIDs []string `json:"certs"`
 }
 
+var cipherSuites = map[string]uint16{
+	"TLS_RSA_WITH_RC4_128_SHA":                0x0005,
+	"TLS_RSA_WITH_3DES_EDE_CBC_SHA":           0x000a,
+	"TLS_RSA_WITH_AES_128_CBC_SHA":            0x002f,
+	"TLS_RSA_WITH_AES_256_CBC_SHA":            0x0035,
+	"TLS_RSA_WITH_AES_128_CBC_SHA256":         0x003c,
+	"TLS_RSA_WITH_AES_128_GCM_SHA256":         0x009c,
+	"TLS_RSA_WITH_AES_256_GCM_SHA384":         0x009d,
+	"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA":        0xc007,
+	"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA":    0xc009,
+	"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA":    0xc00a,
+	"TLS_ECDHE_RSA_WITH_RC4_128_SHA":          0xc011,
+	"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA":     0xc012,
+	"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA":      0xc013,
+	"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA":      0xc014,
+	"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256": 0xc023,
+	"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256":   0xc027,
+	"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256":   0xc02f,
+	"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256": 0xc02b,
+	"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384":   0xc030,
+	"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384": 0xc02c,
+	"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305":    0xcca8,
+	"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305":  0xcca9,
+}
+
 func getUpstreamCertificate(host string, spec *APISpec) (cert *tls.Certificate) {
 	var certID string
 
@@ -177,3 +202,14 @@ func certHandler(w http.ResponseWriter, r *http.Request) {
 		doJSONWrite(w, 200, &apiStatusMessage{"ok", "removed"})
 	}
 }
+
+func getCipherAliases(ciphers []string) (cipherCodes []uint16) {
+	for k, v := range cipherSuites {
+		for _, str := range ciphers {
+			if str == k {
+				cipherCodes = append(cipherCodes, v)
+			}
+		}
+	}
+	return cipherCodes
+}
diff --git a/config/config.go b/config/config.go
index db6bc0a0429..91cf32a27a7 100644
--- a/config/config.go
+++ b/config/config.go
@@ -126,6 +126,7 @@ type HttpServerOptionsConfig struct {
 	MinVersion            uint16     `json:"min_version"`
 	FlushInterval         int        `json:"flush_interval"`
 	SkipURLCleaning       bool       `json:"skip_url_cleaning"`
+	Ciphers               []string   `json:"ciphers"`
 }
 
 type AuthOverrideConf struct {
diff --git a/lint/schema.go b/lint/schema.go
index 59181477185..74ac0c4b366 100644
--- a/lint/schema.go
+++ b/lint/schema.go
@@ -345,7 +345,13 @@ const confSchema = `{
 				"items": {
 					"type": "string"
 				}
-			}
+			},
+			"ciphers":{
+				"type": ["array", "null"],
+				"items": {
+					"type": "string"
+				}
+			},
 		}
 	},
 	"legacy_enable_allowance_countdown": {
diff --git a/main.go b/main.go
index c5794f3fda9..5adad6fa048 100644
--- a/main.go
+++ b/main.go
@@ -20,10 +20,10 @@ import (
 
 	"github.com/Sirupsen/logrus"
 	logrus_syslog "github.com/Sirupsen/logrus/hooks/syslog"
-	"github.com/bshuster-repo/logrus-logstash-hook"
+	logstashHook "github.com/bshuster-repo/logrus-logstash-hook"
 	"github.com/evalphobia/logrus_sentry"
 	"github.com/facebookgo/pidfile"
-	"github.com/gemnasium/logrus-graylog-hook"
+	graylogHook "github.com/gemnasium/logrus-graylog-hook"
 	"github.com/gorilla/mux"
 	"github.com/justinas/alice"
 	"github.com/lonelycode/gorpc"
@@ -72,6 +72,7 @@ var (
 	controlRouter *mux.Router
 	LE_MANAGER    letsencrypt.Manager
 	LE_FIRSTRUN   bool
+	tlsCiphers    []uint16
 
 	NodeID string
 
@@ -776,7 +777,7 @@ func setupLogger() {
 		log.WithFields(logrus.Fields{
 			"prefix": "main",
 		}).Debug("Enabling Graylog support")
-		hook := graylog.NewGraylogHook(config.Global.GraylogNetworkAddr,
+		hook := graylogHook.NewGraylogHook(config.Global.GraylogNetworkAddr,
 			map[string]interface{}{"tyk-module": "gateway"})
 
 		log.Hooks.Add(hook)
@@ -791,7 +792,7 @@ func setupLogger() {
 		log.WithFields(logrus.Fields{
 			"prefix": "main",
 		}).Debug("Enabling Logstash support")
-		hook, err := logrus_logstash.NewHook(config.Global.LogstashTransport,
+		hook, err := logstashHook.NewHook(config.Global.LogstashTransport,
 			config.Global.LogstashNetworkAddr,
 			"tyk-gateway")
 
@@ -1204,12 +1205,17 @@ func generateListener(listenPort int) (net.Listener, error) {
 			"prefix": "main",
 		}).Info("--> Using SSL (https)")
 
+		if config.Global.HttpServerOptions.Ciphers != nil {
+			tlsCiphers = getCipherAliases(config.Global.HttpServerOptions.Ciphers)
+		}
+
 		tlsConfig := tls.Config{
 			GetCertificate:     dummyGetCertificate,
 			ServerName:         config.Global.HttpServerOptions.ServerName,
 			MinVersion:         config.Global.HttpServerOptions.MinVersion,
 			ClientAuth:         tls.RequestClientCert,
 			InsecureSkipVerify: config.Global.HttpServerOptions.SSLInsecureSkipVerify,
+			CipherSuites:       tlsCiphers,
 		}
 
 		tlsConfig.GetConfigForClient = getTLSConfigForClient(&tlsConfig, listenPort)