Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

*: support TLS cipher suite whitelist #9801

Merged
merged 8 commits into from Jun 5, 2018
Merged

*: support TLS cipher suite whitelist #9801

merged 8 commits into from Jun 5, 2018

Conversation

gyuho
Copy link
Contributor

@gyuho gyuho commented Jun 4, 2018
edited

Fail TLS handshake when client hello is requested with invalid cipher suites.

Succeeds if client requests with matching or empty cipher suites.

Fix #8320.

@gyuho gyuho mentioned this pull request Jun 4, 2018
Closed
@gyuho gyuho force-pushed the cipher-suites branch 2 times, most recently from 1e1a4d8 to 4ffd31d Compare June 4, 2018 18:36
@codecov-io
Copy link

Codecov Report

Merging #9801 into master will increase coverage by 0.04%.
The diff coverage is 64.1%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #9801      +/-   ##
==========================================
+ Coverage   69.58%   69.63%   +0.04%     
==========================================
  Files         376      377       +1     
  Lines       35229    35263      +34     
==========================================
+ Hits        24514    24554      +40     
+ Misses       8954     8950       -4     
+ Partials     1761     1759       -2
Impacted Files Coverage Δ
pkg/tlsutil/cipher_suites.go 100% <100%> (ø)
pkg/transport/listener.go 58.67% <100%> (+0.42%) ⬆️
etcdmain/config.go 83.11% <100%> (+0.3%) ⬆️
embed/config.go 58.5% <50%> (-0.42%) ⬇️
embed/etcd.go 67.41% <60%> (-0.25%) ⬇️
etcdctl/ctlv3/command/printer.go 20.51% <0%> (-19.66%) ⬇️
etcdserver/v2_server.go 80.76% <0%> (-3.85%) ⬇️
mvcc/watcher.go 96.29% <0%> (-3.71%) ⬇️
proxy/httpproxy/director.go 80% <0%> (-2.86%) ⬇️
clientv3/concurrency/election.go 79.52% <0%> (-2.37%) ⬇️
... and 20 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 438e675...4ffd31d. Read the comment docs.

@joelegasse joelegasse self-requested a review June 4, 2018 20:06
@gyuho
Copy link
Contributor Author

gyuho commented Jun 4, 2018

/cc @liggitt

joelegasse
joelegasse approved these changes Jun 5, 2018
View reviewed changes
Copy link
Contributor

@joelegasse joelegasse left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, just a couple places that could benefit from some branching logic cleanup.

embed/config.go Outdated
}
return updateCipherSuites(&cfg.ClientTLSInfo, cfg.ClientCipherSuites)
}
if cfg.ClientAutoTLS {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since you're already modifying the logic here, could we simplify this method to just have if !cfg.ClientAutoTLS { return nil } at the top? It would remove this if on 743 and simplify the check above.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point! Will update.

embed/config.go Outdated
}
return updateCipherSuites(&cfg.PeerTLSInfo, cfg.PeerCipherSuites)
}
if cfg.PeerAutoTLS {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Similar change here as above, just start with if !cfg.PeerAutoTLS { return nil }, and remove that check for the rest of the method.

@gyuho gyuho requested a review from ericchiang June 5, 2018 18:19
ericchiang
ericchiang reviewed Jun 5, 2018
View reviewed changes
Copy link
Contributor

@ericchiang ericchiang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you need two flags? Maybe just have one that restricts all endpoint and client uses?

embed/config.go Outdated
// ClientCipherSuites is a list of supported cipher suites between server and client.
// If empty, Go auto-populates it by default.
// Note that cipher suites are prioritized in the given order.
ClientCipherSuites []string `json:"client-cipher-suites"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why does this have a JSON tag?

Copy link
Contributor Author

@gyuho gyuho Jun 5, 2018
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have YAML configuration file format, which uses json tag to read flag values.

@gyuho
Copy link
Contributor Author

gyuho commented Jun 5, 2018

As @ericchiang suggested, will be switching to one shared flag both for server and client side.

@gyuho gyuho added the WIP label Jun 5, 2018
gyuho added 8 commits June 5, 2018 12:26
@gyuho
pkg/tlsutil: add "GetCipherSuite"
67313ff 
Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
@gyuho
pkg/transport: add "TLSInfo.CipherSuites" field
3fb9cc8 
Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
@gyuho
integration: test client-side TLS cipher suites
917d40c 
Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
@gyuho
embed: support custom cipher suites
3125c0c 
Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
@gyuho
etcdmain: add "--cipher-suites" flag
abffe0d 
Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
@gyuho
tests/e2e: test client-side cipher suites with curl
d82f726 
Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
@gyuho
CHANGELOG: highlight custom cipher suite feature
96e8cff 
Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
@gyuho
Documentation/op-guide: document "--cipher-suites"
1a47c28 
Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
@gyuho gyuho removed the WIP label Jun 5, 2018
@gyuho gyuho merged commit 54ed4de into etcd-io:master Jun 5, 2018
@gyuho gyuho deleted the cipher-suites branch June 5, 2018 22:46
liggitt
liggitt reviewed Jun 11, 2018
View reviewed changes
embed/config.go
if err != nil {
return err
}
return updateCipherSuites(&cfg.PeerTLSInfo, cfg.CipherSuites)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updateCipherSuites fails if called with non-empty ciphers twice, right?

in configurePeerListeners(), we call updateCipherSuites() and then call PeerSelfCert(), which also calls updateCipherSuites(). doesn't that mean we will fail if cfg.PeerAutoTLS and cfg.CipherSuites are both set?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@liggitt transport.SelfCert initializes cfg.PeerTLSInfo.CipherSuites as empty, so this should be safe?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@liggitt transport.SelfCert initializes cfg.PeerTLSInfo.CipherSuites as empty, so this should be safe?

ok, didn't trace it past these two methods, was just looking at the config inputs

@vadimeisenbergibm vadimeisenbergibm mentioned this pull request Jul 28, 2020
Closed
@9547 9547 mentioned this pull request Jun 30, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@liggitt liggitt liggitt left review comments

@ericchiang ericchiang ericchiang left review comments

@joelegasse joelegasse joelegasse approved these changes

Assignees
No one assigned
Labels
area/tls backport/v3.3
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@gyuho @codecov-io @liggitt @joelegasse @ericchiang