Skip to content

fix(stackable-webhook): Explicitly set the TLS provider for the ServerConfig, and enable "safe" protocols #778

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
May 24, 2024
Merged

fix(stackable-webhook): Explicitly set the TLS provider for the ServerConfig, and enable "safe" protocols #778

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
a431702
fix(stackable-webhook): rustls now requires a global provider to be s…
NickLarsenNZ May 7, 2024
9a38bce
docs(stackable-webhook): update changelog
NickLarsenNZ May 7, 2024
c3122c9
chore(stackable-webhook): explicitly set accepted TLS protocol versions
NickLarsenNZ May 24, 2024
5d2f9b3
Merge remote-tracking branch 'origin/main' into fix/webhook-tls-provider
NickLarsenNZ May 24, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions crates/stackable-webhook/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,11 +21,16 @@ All notable changes to this project will be documented in this file.
- Bump GitHub workflow actions ([#772]).
- Revert `zeroize` version bump ([#772]).

### Fixed

- Explicitly set the TLS provider for the ServerConfig, and enable "safe" protocols ([#778]).

[#758]: https://github.com/stackabletech/operator-rs/pull/758
[#762]: https://github.com/stackabletech/operator-rs/pull/762
[#767]: https://github.com/stackabletech/operator-rs/pull/767
[#769]: https://github.com/stackabletech/operator-rs/pull/769
[#772]: https://github.com/stackabletech/operator-rs/pull/772
[#778]: https://github.com/stackabletech/operator-rs/pull/778
[#782]: https://github.com/stackabletech/operator-rs/pull/782

## [0.2.0] - 2024-03-26
Expand Down
17 changes: 15 additions & 2 deletions crates/stackable-webhook/src/tls.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,14 @@ use snafu::{ResultExt, Snafu};
use stackable_certs::{ca::CertificateAuthority, keys::rsa, CertificatePairError};
use stackable_operator::time::Duration;
use tokio::net::TcpListener;
use tokio_rustls::{rustls::ServerConfig, TlsAcceptor};
use tokio_rustls::{
rustls::{
crypto::aws_lc_rs::default_provider,
version::{TLS12, TLS13},
ServerConfig,
},
TlsAcceptor,
};
use tower::Service;
use tracing::{instrument, trace, warn};

Expand Down Expand Up @@ -44,6 +51,9 @@ pub enum Error {
EncodePrivateKeyDer {
source: CertificatePairError<rsa::Error>,
},

#[snafu(display("failed to set safe TLS protocol versions"))]
SetSafeTlsProtocolVersions { source: tokio_rustls::rustls::Error },
}

/// Custom implementation of [`std::cmp::PartialEq`] because some inner types
Expand Down Expand Up @@ -97,7 +107,10 @@ impl TlsServer {
.private_key_der()
.context(EncodePrivateKeyDerSnafu)?;

let mut config = ServerConfig::builder()
let tls_provider = default_provider();
let mut config = ServerConfig::builder_with_provider(tls_provider.into())
.with_protocol_versions(&[&TLS12, &TLS13])
.context(SetSafeTlsProtocolVersionsSnafu)?
.with_no_client_auth()
.with_single_cert(vec![certificate_der], private_key_der)
.context(InvalidTlsPrivateKeySnafu)?;
Expand Down