[FAB-7534] Use strong ciphers for TLS

In Fabric v1.1, the default ciphers for TLS were updated to a generally accepted set of high ciphers. This change does the same for the fabric-ca server and client. Change-Id: Ic5a267b5d18e7f82d6750700c6f1eb5976b5ed5b Signed-off-by: Gari Singh <gari.r.singh@gmail.com>
hyperledger · May 22, 2018 · 2032d77 · 2032d77
1 parent bedd37c
commit 2032d77
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 0 deletions.
diff --git a/lib/client.go b/lib/client.go
@@ -153,6 +153,8 @@ func (c *Client) initHTTPClient() error {
 		if err2 != nil {
 			return fmt.Errorf("Failed to get client TLS config: %s", err2)
 		}
+		// set the default ciphers
+		tlsConfig.CipherSuites = tls.DefaultCipherSuites
 		tr.TLSClientConfig = tlsConfig
 	}
 	c.httpClient = &http.Client{Transport: tr}

diff --git a/lib/server.go b/lib/server.go
@@ -546,6 +546,7 @@ func (s *Server) listenAndServe() (err error) {
 			ClientCAs:    certPool,
 			MinVersion:   tls.VersionTLS12,
 			MaxVersion:   tls.VersionTLS12,
+			CipherSuites: stls.DefaultCipherSuites,
 		}
 
 		listener, err = tls.Listen("tcp", addr, config)

diff --git a/lib/tls/tls.go b/lib/tls/tls.go
@@ -30,6 +30,16 @@ import (
 	"github.com/hyperledger/fabric/bccsp/factory"
 )
 
+// DefaultCipherSuites is a set of strong TLS cipher suites
+var DefaultCipherSuites = []uint16{
+	tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+	tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+	tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+	tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+	tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
+	tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
+}
+
 // ServerTLSConfig defines key material for a TLS server
 type ServerTLSConfig struct {
 	Enabled    bool   `help:"Enable TLS on the listening port"`