forked from TrueCloudLab/distribution
Merge pull request #3576 from justadogistaken/optimize/disable-insecure-cipher-suites
optimize: disable insecure cipher suites
This commit is contained in:
commit
02e2231e60
4 changed files with 32 additions and 15 deletions
|
@ -76,7 +76,6 @@ func (sbs statsBlobStore) ServeBlob(ctx context.Context, w http.ResponseWriter,
|
||||||
}
|
}
|
||||||
|
|
||||||
func (sbs statsBlobStore) Stat(ctx context.Context, dgst digest.Digest) (distribution.Descriptor, error) {
|
func (sbs statsBlobStore) Stat(ctx context.Context, dgst digest.Digest) (distribution.Descriptor, error) {
|
||||||
|
|
||||||
sbsMu.Lock()
|
sbsMu.Lock()
|
||||||
sbs.stats["stat"]++
|
sbs.stats["stat"]++
|
||||||
sbsMu.Unlock()
|
sbsMu.Unlock()
|
||||||
|
|
|
@ -37,22 +37,16 @@ import (
|
||||||
// a map of TLS cipher suite names to constants in https://golang.org/pkg/crypto/tls/#pkg-constants
|
// a map of TLS cipher suite names to constants in https://golang.org/pkg/crypto/tls/#pkg-constants
|
||||||
var cipherSuites = map[string]uint16{
|
var cipherSuites = map[string]uint16{
|
||||||
// TLS 1.0 - 1.2 cipher suites
|
// TLS 1.0 - 1.2 cipher suites
|
||||||
"TLS_RSA_WITH_RC4_128_SHA": tls.TLS_RSA_WITH_RC4_128_SHA,
|
|
||||||
"TLS_RSA_WITH_3DES_EDE_CBC_SHA": tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
|
"TLS_RSA_WITH_3DES_EDE_CBC_SHA": tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
|
||||||
"TLS_RSA_WITH_AES_128_CBC_SHA": tls.TLS_RSA_WITH_AES_128_CBC_SHA,
|
"TLS_RSA_WITH_AES_128_CBC_SHA": tls.TLS_RSA_WITH_AES_128_CBC_SHA,
|
||||||
"TLS_RSA_WITH_AES_256_CBC_SHA": tls.TLS_RSA_WITH_AES_256_CBC_SHA,
|
"TLS_RSA_WITH_AES_256_CBC_SHA": tls.TLS_RSA_WITH_AES_256_CBC_SHA,
|
||||||
"TLS_RSA_WITH_AES_128_CBC_SHA256": tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
|
|
||||||
"TLS_RSA_WITH_AES_128_GCM_SHA256": tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
|
"TLS_RSA_WITH_AES_128_GCM_SHA256": tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
|
||||||
"TLS_RSA_WITH_AES_256_GCM_SHA384": tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
|
"TLS_RSA_WITH_AES_256_GCM_SHA384": tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
|
||||||
"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA": tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
|
|
||||||
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
|
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
|
||||||
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
|
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
|
||||||
"TLS_ECDHE_RSA_WITH_RC4_128_SHA": tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA,
|
|
||||||
"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
|
"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
|
||||||
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
|
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
|
||||||
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
|
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
|
||||||
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
|
|
||||||
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256": tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
|
|
||||||
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
||||||
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
||||||
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
||||||
|
@ -82,8 +76,6 @@ var defaultCipherSuites = []uint16{
|
||||||
var defaultTLSVersionStr = "tls1.2"
|
var defaultTLSVersionStr = "tls1.2"
|
||||||
var tlsVersions = map[string]uint16{
|
var tlsVersions = map[string]uint16{
|
||||||
// user specified values
|
// user specified values
|
||||||
"tls1.0": tls.VersionTLS10,
|
|
||||||
"tls1.1": tls.VersionTLS11,
|
|
||||||
"tls1.2": tls.VersionTLS12,
|
"tls1.2": tls.VersionTLS12,
|
||||||
"tls1.3": tls.VersionTLS13,
|
"tls1.3": tls.VersionTLS13,
|
||||||
}
|
}
|
||||||
|
@ -230,11 +222,18 @@ func (registry *Registry) ListenAndServe() error {
|
||||||
}
|
}
|
||||||
dcontext.GetLogger(registry.app).Infof("restricting TLS version to %s or higher", config.HTTP.TLS.MinimumTLS)
|
dcontext.GetLogger(registry.app).Infof("restricting TLS version to %s or higher", config.HTTP.TLS.MinimumTLS)
|
||||||
|
|
||||||
tlsCipherSuites, err := getCipherSuites(config.HTTP.TLS.CipherSuites)
|
var tlsCipherSuites []uint16
|
||||||
|
// configuring cipher suites are no longer supported after the tls1.3.
|
||||||
|
// (https://go.dev/blog/tls-cipher-suites)
|
||||||
|
if tlsMinVersion > tls.VersionTLS12 {
|
||||||
|
dcontext.GetLogger(registry.app).Warnf("restricting TLS cipher suites to empty. Because configuring cipher suites is no longer supported in %s", config.HTTP.TLS.MinimumTLS)
|
||||||
|
} else {
|
||||||
|
tlsCipherSuites, err = getCipherSuites(config.HTTP.TLS.CipherSuites)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
dcontext.GetLogger(registry.app).Infof("restricting TLS cipher suites to: %s", strings.Join(getCipherSuiteNames(tlsCipherSuites), ","))
|
dcontext.GetLogger(registry.app).Infof("restricting TLS cipher suites to: %s", strings.Join(getCipherSuiteNames(tlsCipherSuites), ","))
|
||||||
|
}
|
||||||
|
|
||||||
tlsConf := &tls.Config{
|
tlsConf := &tls.Config{
|
||||||
ClientAuth: tls.NoClientCert,
|
ClientAuth: tls.NoClientCert,
|
||||||
|
|
|
@ -135,7 +135,10 @@ func TestGetCipherSuite(t *testing.T) {
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
resp, err = getCipherSuites([]string{"TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_AES_128_GCM_SHA256"})
|
resp, err = getCipherSuites([]string{
|
||||||
|
"TLS_RSA_WITH_AES_128_CBC_SHA",
|
||||||
|
"TLS_AES_128_GCM_SHA256",
|
||||||
|
})
|
||||||
if err != nil || len(resp) != 2 ||
|
if err != nil || len(resp) != 2 ||
|
||||||
resp[0] != tls.TLS_RSA_WITH_AES_128_CBC_SHA || resp[1] != tls.TLS_AES_128_GCM_SHA256 {
|
resp[0] != tls.TLS_RSA_WITH_AES_128_CBC_SHA || resp[1] != tls.TLS_AES_128_GCM_SHA256 {
|
||||||
t.Errorf("expected cipher suites %q, got %q",
|
t.Errorf("expected cipher suites %q, got %q",
|
||||||
|
@ -148,6 +151,22 @@ func TestGetCipherSuite(t *testing.T) {
|
||||||
if err == nil {
|
if err == nil {
|
||||||
t.Error("did not return expected error about unknown cipher suite")
|
t.Error("did not return expected error about unknown cipher suite")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
var insecureCipherSuites = []string{
|
||||||
|
"TLS_RSA_WITH_RC4_128_SHA",
|
||||||
|
"TLS_RSA_WITH_AES_128_CBC_SHA256",
|
||||||
|
"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
|
||||||
|
"TLS_ECDHE_RSA_WITH_RC4_128_SHA",
|
||||||
|
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
|
||||||
|
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, suite := range insecureCipherSuites {
|
||||||
|
_, err = getCipherSuites([]string{suite})
|
||||||
|
if err == nil {
|
||||||
|
t.Errorf("Unexpected insecure cipher suite: %s", suite)
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func buildRegistryTLSConfig(name, keyType string, cipherSuites []string) (*registryTLSConfig, error) {
|
func buildRegistryTLSConfig(name, keyType string, cipherSuites []string) (*registryTLSConfig, error) {
|
||||||
|
|
|
@ -46,7 +46,7 @@ func TestPurgeGather(t *testing.T) {
|
||||||
fs, ctx := testUploadFS(t, uploadCount, "test-repo", time.Now())
|
fs, ctx := testUploadFS(t, uploadCount, "test-repo", time.Now())
|
||||||
uploadData, errs := getOutstandingUploads(ctx, fs)
|
uploadData, errs := getOutstandingUploads(ctx, fs)
|
||||||
if len(errs) != 0 {
|
if len(errs) != 0 {
|
||||||
t.Errorf("Unexepected errors: %q", errs)
|
t.Errorf("Unexpected errors: %q", errs)
|
||||||
}
|
}
|
||||||
if len(uploadData) != uploadCount {
|
if len(uploadData) != uploadCount {
|
||||||
t.Errorf("Unexpected upload file count: %d != %d", uploadCount, len(uploadData))
|
t.Errorf("Unexpected upload file count: %d != %d", uploadCount, len(uploadData))
|
||||||
|
|
Loading…
Reference in a new issue