forked from sensu/sensu-go
-
Notifications
You must be signed in to change notification settings - Fork 0
/
tls.go
107 lines (92 loc) · 3.28 KB
/
tls.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
package v2
import (
"crypto/tls"
"crypto/x509"
"fmt"
"io/ioutil"
)
var (
// PCI compliance as of Jun 30, 2018: anything under TLS 1.1 must be disabled
// we bump this up to TLS 1.2 so we can support the best possible ciphers
tlsMinVersion = uint16(tls.VersionTLS12)
// DefaultCipherSuites overrides the default cipher suites in order to disable
// CBC suites (Lucky13 attack) this means TLS 1.1 can't work (no GCM)
// additionally, we should only use perfect forward secrecy ciphers
DefaultCipherSuites = []uint16{
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
// these ciphers require go 1.8+
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
}
// optimal EC curve preference
// curve reference: http://safecurves.cr.yp.to/
tlsCurvePreferences = []tls.CurveID{
// this curve is a non-NIST curve with no NSA influence. Prefer this over all others!
tls.X25519,
// These curves are provided by NIST; optimal order
tls.CurveP384,
tls.CurveP256,
tls.CurveP521,
}
)
// ToServerTLSConfig should only be used for server TLS configuration. outputs a tls.Config from TLSOptions
func (t *TLSOptions) ToServerTLSConfig() (*tls.Config, error) {
cfg := tls.Config{}
if t.GetCertFile() != "" && t.GetKeyFile() != "" {
cert, err := tls.LoadX509KeyPair(t.GetCertFile(), t.GetKeyFile())
if err != nil {
return nil, fmt.Errorf("Error loading tls server certificate: %s", err)
}
cfg.Certificates = []tls.Certificate{cert}
}
// useful when we present multiple certificates
cfg.BuildNameToCertificate()
// apply hardened TLS settings
cfg.MinVersion = tlsMinVersion
cfg.CurvePreferences = tlsCurvePreferences
cfg.CipherSuites = DefaultCipherSuites
// Tell the server to prefer it's own cipher suite ordering over the client's preferred ordering
cfg.PreferServerCipherSuites = true
return &cfg, nil
}
// ToClientTLSConfig is like ToServerTLSConfig but intended for TLS client config.
func (t *TLSOptions) ToClientTLSConfig() (*tls.Config, error) {
cfg := tls.Config{}
cfg.InsecureSkipVerify = t.InsecureSkipVerify
if t.TrustedCAFile != "" {
caCertPool, err := LoadCACerts(t.TrustedCAFile)
if err != nil {
return nil, err
}
// client trust store should ONLY consist of specified CAs
cfg.RootCAs = caCertPool
}
if t.GetCertFile() != "" && t.GetKeyFile() != "" {
cert, err := tls.LoadX509KeyPair(t.GetCertFile(), t.GetKeyFile())
if err != nil {
return nil, fmt.Errorf("Error loading tls client certificate: %s", err)
}
cfg.Certificates = []tls.Certificate{cert}
}
// apply hardened TLS settings
cfg.MinVersion = tlsMinVersion
cfg.CurvePreferences = tlsCurvePreferences
cfg.CipherSuites = DefaultCipherSuites
return &cfg, nil
}
// LoadCACerts takes the path to a certificate bundle file in PEM format and try
// to create a x509.CertPool out of it.
func LoadCACerts(path string) (*x509.CertPool, error) {
caCerts, err := ioutil.ReadFile(path)
if err != nil {
return nil, fmt.Errorf("Error reading CA file: %s", err)
}
caCertPool := x509.NewCertPool()
if !caCertPool.AppendCertsFromPEM(caCerts) {
return nil, fmt.Errorf("No certificates could be parsed out of %s", err)
}
return caCertPool, nil
}