From d1be5b5f9ee74da3aba0ba4cd09470a4687644ba Mon Sep 17 00:00:00 2001 From: Evgenii Stratonikov Date: Tue, 30 Nov 2021 13:07:46 +0300 Subject: [PATCH] [#878] neofs-node: default to secure TLS settings Support TLS >=1.2 only and strong cipher suites. Signed-off-by: Evgenii Stratonikov --- cmd/neofs-node/config/grpc/config.go | 5 +++++ cmd/neofs-node/config/grpc/config_test.go | 7 +++++- cmd/neofs-node/grpc.go | 26 +++++++++++++++++++++-- config/example/node.json | 7 ++++++ config/example/node.yaml | 7 +++++- 5 files changed, 48 insertions(+), 4 deletions(-) diff --git a/cmd/neofs-node/config/grpc/config.go b/cmd/neofs-node/config/grpc/config.go index 6029b5658..1b0777944 100644 --- a/cmd/neofs-node/config/grpc/config.go +++ b/cmd/neofs-node/config/grpc/config.go @@ -78,6 +78,11 @@ func (tls TLSConfig) CertificateFile() string { return v } +// UseInsecureCrypto returns true if TLS 1.2 cipher suite should not be restricted. +func (tls TLSConfig) UseInsecureCrypto() bool { + return config.BoolSafe(tls.cfg, "use_insecure_crypto") +} + // IterateEndpoints iterates over subsections ["0":"N") (N - "num" value) // of "grpc" section of c, wrap them into Config and passes to f. // diff --git a/cmd/neofs-node/config/grpc/config_test.go b/cmd/neofs-node/config/grpc/config_test.go index 2247c4c74..c05ff243c 100644 --- a/cmd/neofs-node/config/grpc/config_test.go +++ b/cmd/neofs-node/config/grpc/config_test.go @@ -31,12 +31,17 @@ func TestGRPCSection(t *testing.T) { case 0: require.Equal(t, "s01.neofs.devenv:8080", sc.Endpoint()) + require.NotNil(t, tls) require.Equal(t, "/path/to/cert", tls.CertificateFile()) require.Equal(t, "/path/to/key", tls.KeyFile()) + require.False(t, tls.UseInsecureCrypto()) case 1: require.Equal(t, "s02.neofs.devenv:8080", sc.Endpoint()) - require.Nil(t, tls) + case 2: + require.Equal(t, "s03.neofs.devenv:8080", sc.Endpoint()) + require.NotNil(t, tls) + require.True(t, tls.UseInsecureCrypto()) } }) } diff --git a/cmd/neofs-node/grpc.go b/cmd/neofs-node/grpc.go index 576f58b13..ee7f462f8 100644 --- a/cmd/neofs-node/grpc.go +++ b/cmd/neofs-node/grpc.go @@ -1,6 +1,7 @@ package main import ( + "crypto/tls" "fmt" "net" @@ -25,8 +26,29 @@ func initGRPC(c *cfg) { tlsCfg := sc.TLS() if tlsCfg != nil { - creds, err := credentials.NewServerTLSFromFile(tlsCfg.CertificateFile(), tlsCfg.KeyFile()) - fatalOnErrDetails("could not read credentials from file", err) + cert, err := tls.LoadX509KeyPair(tlsCfg.CertificateFile(), tlsCfg.KeyFile()) + fatalOnErrDetails("could not read certificate from file", err) + + var cipherSuites []uint16 + if !tlsCfg.UseInsecureCrypto() { + // This more or less follows the list in https://wiki.mozilla.org/Security/Server_Side_TLS + // excluding: + // 1. TLS 1.3 suites need not be specified here. + // 2. Suites that use DH key exchange are not implemented by stdlib. + cipherSuites = []uint16{ + tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, + tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, + } + } + creds := credentials.NewTLS(&tls.Config{ + MinVersion: tls.VersionTLS12, + CipherSuites: cipherSuites, + Certificates: []tls.Certificate{cert}, + }) serverOpts = append(serverOpts, grpc.Creds(creds)) } diff --git a/config/example/node.json b/config/example/node.json index a6213ef56..cf9538817 100644 --- a/config/example/node.json +++ b/config/example/node.json @@ -53,6 +53,13 @@ "tls": { "enabled": false } + }, + "2": { + "endpoint": "s03.neofs.devenv:8080", + "tls": { + "enabled": true, + "use_insecure_crypto": true + } } }, "control": { diff --git a/config/example/node.yaml b/config/example/node.yaml index ddbe17563..283bd86a8 100644 --- a/config/example/node.yaml +++ b/config/example/node.yaml @@ -37,7 +37,7 @@ grpc: 0: endpoint: s01.neofs.devenv:8080 # endpoint for gRPC server tls: - enabled: true # use TLS for a gRPC connection + enabled: true # use TLS for a gRPC connection (min version is TLS 1.2) certificate: /path/to/cert # path to TLS certificate key: /path/to/key # path to TLS key @@ -45,6 +45,11 @@ grpc: endpoint: s02.neofs.devenv:8080 # endpoint for gRPC server tls: enabled: false # use TLS for a gRPC connection + 2: + endpoint: s03.neofs.devenv:8080 + tls: + enabled: true + use_insecure_crypto: true # allow using insecure ciphers with TLS 1.2 control: authorized_keys: # list of hex-encoded public keys that have rights to use the Control Service