sensu · palourde · Dec 15, 2017 · Dec 15, 2017
diff --git a/uchiwa/config/config.go b/uchiwa/config/config.go
@@ -1,6 +1,7 @@
 package config
 
 import (
+	"crypto/tls"
 	"encoding/json"
 	"fmt"
 	"math/rand"
@@ -17,10 +18,11 @@ const obfuscatedValue = "*****"
 
 var (
 	defaultGlobalConfig = GlobalConfig{
-		Host:     "0.0.0.0",
-		Port:     3000,
-		LogLevel: "info",
-		Refresh:  10,
+		Audit: Audit{
+			Level:   "default",
+			Logfile: "/var/log/sensu/sensu-enterprise-dashboard-audit.log",
+		},
+		Host: "0.0.0.0",
 		Ldap: Ldap{
 			LdapServer: LdapServer{
 				Port:                 389,
@@ -31,9 +33,11 @@ var (
 				GroupObjectClass:     "groupOfNames",
 			},
 		},
-		Audit: Audit{
-			Level:   "default",
-			Logfile: "/var/log/sensu/sensu-enterprise-dashboard-audit.log",
+		LogLevel: "info",
+		Port:     3000,
+		Refresh:  10,
+		SSL: SSL{
+			TLSMinVersion: "tls10",
 		},
 		UsersOptions: UsersOptions{
 			DateFormat:             "YYYY-MM-DD HH:mm:ss",
@@ -244,6 +248,21 @@ func initUchiwa(global GlobalConfig) GlobalConfig {
 		global.Users = append(global.Users, authentication.User{Username: global.User, Password: global.Pass, FullName: global.User})
 	}
 
+	// TLS configuration
+	var cipherSuite []uint16
+	if len(global.SSL.CipherSuite) == 0 {
+		cipherSuite = defaultCipherSuite()
+	} else {
+		cipherSuite = parseCipherSuite(global.SSL.CipherSuite)
+	}
+
+	global.SSL.TLSConfig = &tls.Config{
+		MinVersion:               TLSVersions[global.SSL.TLSMinVersion],
+		MaxVersion:               tls.VersionTLS12,
+		CipherSuites:             cipherSuite,
+		PreferServerCipherSuites: true,
+	}
+
 	// Set the logger level
 	logger.SetLogLevel(global.LogLevel)
 

diff --git a/uchiwa/config/structs.go b/uchiwa/config/structs.go
@@ -94,6 +94,7 @@ type Ldap struct {
 	Servers []LdapServer
 }
 
+// LdapServer contains the configuration of a specific LDAP server
 type LdapServer struct {
 	Server               string
 	Port                 int
@@ -126,8 +127,11 @@ type OIDC struct {
 
 // SSL struct contains the path the SSL certificate and key
 type SSL struct {
-	CertFile string
-	KeyFile  string
+	CertFile      string
+	KeyFile       string
+	CipherSuite   []string
+	TLSMinVersion string
+	TLSConfig     *tls.Config
 }
 
 // UsersOptions struct contains various config tweaks

diff --git a/uchiwa/config/tls.go b/uchiwa/config/tls.go
@@ -0,0 +1,74 @@
+package config
+
+import (
+	"crypto/tls"
+	"strings"
+
+	"github.com/sensu/uchiwa/uchiwa/logger"
+)
+
+// TLSVersions contains a correspondence  map for TLS versions in config
+var TLSVersions = map[string]uint16{
+	"tls10": tls.VersionTLS10,
+	"tls11": tls.VersionTLS11,
+	"tls12": tls.VersionTLS12,
+}
+
+// defaultCipherSuite returns the default cipher suite for Uchiwa, which
+// contains the default Go cipher suite minus cipher using 3DES (SWEET32)
+func defaultCipherSuite() []uint16 {
+	return []uint16{
+		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+		tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+		tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+		tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_RSA_WITH_AES_128_CBC_SHA,
+		tls.TLS_RSA_WITH_AES_256_CBC_SHA,
+	}
+}
+
+// parseCipherSuite takes a list of cipher suite IDs as defined in
+// https"://golang.org/src/crypto/tls/cipher_suites.go and returns their uint16
+// equivalent
+func parseCipherSuite(ids []string) []uint16 {
+	ciphers := []uint16{}
+
+	correspondenceMap := map[string]uint16{
+		"TLS_RSA_WITH_RC4_128_SHA":                tls.TLS_RSA_WITH_RC4_128_SHA,
+		"TLS_RSA_WITH_3DES_EDE_CBC_SHA":           tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+		"TLS_RSA_WITH_AES_128_CBC_SHA":            tls.TLS_RSA_WITH_AES_128_CBC_SHA,
+		"TLS_RSA_WITH_AES_256_CBC_SHA":            tls.TLS_RSA_WITH_AES_256_CBC_SHA,
+		"TLS_RSA_WITH_AES_128_CBC_SHA256":         tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
+		"TLS_RSA_WITH_AES_128_GCM_SHA256":         tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
+		"TLS_RSA_WITH_AES_256_GCM_SHA384":         tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
+		"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA":        tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
+		"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA":    tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+		"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA":    tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+		"TLS_ECDHE_RSA_WITH_RC4_128_SHA":          tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA,
+		"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA":     tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+		"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA":      tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+		"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA":      tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+		"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+		"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256":   tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+		"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256":   tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+		"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+		"TvLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384":  tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+		"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+		"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305":    tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+		"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305":  tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+	}
+
+	for _, id := range ids {
+		id = strings.ToUpper(id)
+		if cipher, ok := correspondenceMap[id]; ok {
+			ciphers = append(ciphers, cipher)
+		} else {
+			logger.Fatalf("unknown '%s' cipher", id)
+		}
+	}
+
+	return ciphers
+}
diff --git a/uchiwa/server.go b/uchiwa/server.go
@@ -2,6 +2,7 @@ package uchiwa
 
 import (
 	"compress/gzip"
+	"crypto/tls"
 	"encoding/json"
 	"fmt"
 	"net/http"
@@ -1381,7 +1382,12 @@ func (u *Uchiwa) WebServer(publicPath *string, auth authentication.Config) {
 	logger.Warningf("Uchiwa is now listening on %s", listen)
 
 	if u.Config.Uchiwa.SSL.CertFile != "" && u.Config.Uchiwa.SSL.KeyFile != "" {
-		logger.Fatal(http.ListenAndServeTLS(listen, u.Config.Uchiwa.SSL.CertFile, u.Config.Uchiwa.SSL.KeyFile, nil))
+		server := http.Server{
+			Addr:         listen,
+			TLSConfig:    u.Config.Uchiwa.SSL.TLSConfig,
+			TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler), 0),
+		}
+		logger.Fatal(server.ListenAndServeTLS(u.Config.Uchiwa.SSL.CertFile, u.Config.Uchiwa.SSL.KeyFile))
 	}
 
 	logger.Fatal(http.ListenAndServe(listen, nil))