[#878] neofs-node: default to secure TLS settings

Support TLS >=1.2 only and strong cipher suites.

Signed-off-by: Evgenii Stratonikov <evgeniy@nspcc.ru>

cmd/neofs-node/config/grpc/config.go

@@ -78,6 +78,11 @@ func (tls TLSConfig) CertificateFile() string {
 	return v
 }
 
+// UseInsecureCrypto returns true if TLS 1.2 cipher suite should not be restricted.
+func (tls TLSConfig) UseInsecureCrypto() bool {
+	return config.BoolSafe(tls.cfg, "use_insecure_crypto")
+}
+
 // IterateEndpoints iterates over subsections ["0":"N") (N - "num" value)
 // of "grpc" section of c, wrap them into Config and passes to f.
 //

cmd/neofs-node/config/grpc/config_test.go

@@ -31,12 +31,17 @@ func TestGRPCSection(t *testing.T) {
 			case 0:
 				require.Equal(t, "s01.neofs.devenv:8080", sc.Endpoint())
 
+				require.NotNil(t, tls)
 				require.Equal(t, "/path/to/cert", tls.CertificateFile())
 				require.Equal(t, "/path/to/key", tls.KeyFile())
+				require.False(t, tls.UseInsecureCrypto())
 			case 1:
 				require.Equal(t, "s02.neofs.devenv:8080", sc.Endpoint())
-
 				require.Nil(t, tls)
+			case 2:
+				require.Equal(t, "s03.neofs.devenv:8080", sc.Endpoint())
+				require.NotNil(t, tls)
+				require.True(t, tls.UseInsecureCrypto())
 			}
 		})
 	}

cmd/neofs-node/grpc.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"crypto/tls"
 	"fmt"
 	"net"
 
@@ -25,8 +26,29 @@ func initGRPC(c *cfg) {
 		tlsCfg := sc.TLS()
 
 		if tlsCfg != nil {
-			creds, err := credentials.NewServerTLSFromFile(tlsCfg.CertificateFile(), tlsCfg.KeyFile())
-			fatalOnErrDetails("could not read credentials from file", err)
+			cert, err := tls.LoadX509KeyPair(tlsCfg.CertificateFile(), tlsCfg.KeyFile())
+			fatalOnErrDetails("could not read certificate from file", err)
+
+			var cipherSuites []uint16
+			if !tlsCfg.UseInsecureCrypto() {
+				// This more or less follows the list in https://wiki.mozilla.org/Security/Server_Side_TLS
+				// excluding:
+				// 1. TLS 1.3 suites need not be specified here.
+				// 2. Suites that use DH key exchange are not implemented by stdlib.
+				cipherSuites = []uint16{
+					tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+					tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+					tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+					tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+					tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+					tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+				}
+			}
+			creds := credentials.NewTLS(&tls.Config{
+				MinVersion:   tls.VersionTLS12,
+				CipherSuites: cipherSuites,
+				Certificates: []tls.Certificate{cert},
+			})
 
 			serverOpts = append(serverOpts, grpc.Creds(creds))
 		}

config/example/node.json

@@ -53,6 +53,13 @@
       "tls": {
         "enabled": false
       }
+    },
+    "2": {
+      "endpoint": "s03.neofs.devenv:8080",
+      "tls": {
+        "enabled": true,
+        "use_insecure_crypto": true
+      }
     }
   },
   "control": {

config/example/node.yaml

@@ -37,7 +37,7 @@ grpc:
   0:
     endpoint: s01.neofs.devenv:8080  # endpoint for gRPC server
     tls:
-      enabled: true  # use TLS for a gRPC connection
+      enabled: true  # use TLS for a gRPC connection (min version is TLS 1.2)
       certificate: /path/to/cert  # path to TLS certificate
       key: /path/to/key  # path to TLS key
 
@@ -45,6 +45,11 @@ grpc:
     endpoint: s02.neofs.devenv:8080  # endpoint for gRPC server
     tls:
       enabled: false  # use TLS for a gRPC connection
+  2:
+    endpoint: s03.neofs.devenv:8080
+    tls:
+      enabled: true
+      use_insecure_crypto: true # allow using insecure ciphers with TLS 1.2
 
 control:
   authorized_keys:  # list of hex-encoded public keys that have rights to use the Control Service