-
Notifications
You must be signed in to change notification settings - Fork 3.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(tls): Update TLS strict cipher suite to actually work #20921
Conversation
@@ -616,10 +619,6 @@ func (m *Launcher) run(ctx context.Context, opts *InfluxdOpts) (err error) { | |||
log.Info("Stopping") | |||
}(m.log) | |||
|
|||
m.httpServer = &nethttp.Server{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Took the opportunity to factor some code out of the huge run
method here.
a3b6948
to
a2f8ae4
Compare
7339573
to
dd68d00
Compare
} | ||
tlsMinVersion = tls.VersionTLS13 | ||
default: | ||
return fmt.Errorf("unsupported TLS version: %s", opts.HttpTLSMinVersion) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
if tlsMinVersion != tls.VersionTLS13 && opts.HttpTLSStrictCiphers { | ||
cipherConfig = strictCiphers | ||
var tlsMinVersion uint16 | ||
var useStrictCiphers = opts.HttpTLSStrictCiphers |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this / should this default true for 1.2?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It currently defaults to false
for all versions (maybe because setting it to true
made everything break). I'm wary of changing the default at this point since I don't know what impact to expect on existing users, but if somebody from product / somebody with more TLS knowledge gave the 👍 then I'd be ok with it. Would want to remove the Warn
log in the 1.3 case to avoid noise.
|
||
return nil | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 for function break
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Couple questions - see comments
Self review: it looks like the description of the strict-cipher flag hard-codes the accepted cipher list. Will need to update that. |
Update cipher suite list when `tls-strict-ciphers` is enabled to match changes made in influxdata/influxdb#20921
Update cipher suite list when `tls-strict-ciphers` is enabled to match changes made in influxdata/influxdb#20921
Closes #20762
The cipher suite we had hard-coded was invalid, and would cause the
influxd
process to hang on startup. The user who reported the problem referenced a Mozilla page that showed the proper suite to use, so I swapped to using it. I also fixed the code so a failure to serve HTTP/HTTPS will causeinfluxd
to exit instead of hang.I've added a regression suite to check that enabling TLS works at all. Hopefully that'll catch problems like this in the future...