[#878] neofs-node: default to secure TLS settings

Support TLS >=1.2 only and strong cipher suites.

Signed-off-by: Evgenii Stratonikov <evgeniy@nspcc.ru>
This commit is contained in:
Evgenii Stratonikov 2021-11-30 13:07:46 +03:00 committed by Alex Vanin
parent 973e50ad72
commit d1be5b5f9e
5 changed files with 48 additions and 4 deletions

View file

@ -78,6 +78,11 @@ func (tls TLSConfig) CertificateFile() string {
return v return v
} }
// UseInsecureCrypto returns true if TLS 1.2 cipher suite should not be restricted.
func (tls TLSConfig) UseInsecureCrypto() bool {
return config.BoolSafe(tls.cfg, "use_insecure_crypto")
}
// IterateEndpoints iterates over subsections ["0":"N") (N - "num" value) // IterateEndpoints iterates over subsections ["0":"N") (N - "num" value)
// of "grpc" section of c, wrap them into Config and passes to f. // of "grpc" section of c, wrap them into Config and passes to f.
// //

View file

@ -31,12 +31,17 @@ func TestGRPCSection(t *testing.T) {
case 0: case 0:
require.Equal(t, "s01.neofs.devenv:8080", sc.Endpoint()) require.Equal(t, "s01.neofs.devenv:8080", sc.Endpoint())
require.NotNil(t, tls)
require.Equal(t, "/path/to/cert", tls.CertificateFile()) require.Equal(t, "/path/to/cert", tls.CertificateFile())
require.Equal(t, "/path/to/key", tls.KeyFile()) require.Equal(t, "/path/to/key", tls.KeyFile())
require.False(t, tls.UseInsecureCrypto())
case 1: case 1:
require.Equal(t, "s02.neofs.devenv:8080", sc.Endpoint()) require.Equal(t, "s02.neofs.devenv:8080", sc.Endpoint())
require.Nil(t, tls) require.Nil(t, tls)
case 2:
require.Equal(t, "s03.neofs.devenv:8080", sc.Endpoint())
require.NotNil(t, tls)
require.True(t, tls.UseInsecureCrypto())
} }
}) })
} }

View file

@ -1,6 +1,7 @@
package main package main
import ( import (
"crypto/tls"
"fmt" "fmt"
"net" "net"
@ -25,8 +26,29 @@ func initGRPC(c *cfg) {
tlsCfg := sc.TLS() tlsCfg := sc.TLS()
if tlsCfg != nil { if tlsCfg != nil {
creds, err := credentials.NewServerTLSFromFile(tlsCfg.CertificateFile(), tlsCfg.KeyFile()) cert, err := tls.LoadX509KeyPair(tlsCfg.CertificateFile(), tlsCfg.KeyFile())
fatalOnErrDetails("could not read credentials from file", err) fatalOnErrDetails("could not read certificate from file", err)
var cipherSuites []uint16
if !tlsCfg.UseInsecureCrypto() {
// This more or less follows the list in https://wiki.mozilla.org/Security/Server_Side_TLS
// excluding:
// 1. TLS 1.3 suites need not be specified here.
// 2. Suites that use DH key exchange are not implemented by stdlib.
cipherSuites = []uint16{
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
}
}
creds := credentials.NewTLS(&tls.Config{
MinVersion: tls.VersionTLS12,
CipherSuites: cipherSuites,
Certificates: []tls.Certificate{cert},
})
serverOpts = append(serverOpts, grpc.Creds(creds)) serverOpts = append(serverOpts, grpc.Creds(creds))
} }

View file

@ -53,6 +53,13 @@
"tls": { "tls": {
"enabled": false "enabled": false
} }
},
"2": {
"endpoint": "s03.neofs.devenv:8080",
"tls": {
"enabled": true,
"use_insecure_crypto": true
}
} }
}, },
"control": { "control": {

View file

@ -37,7 +37,7 @@ grpc:
0: 0:
endpoint: s01.neofs.devenv:8080 # endpoint for gRPC server endpoint: s01.neofs.devenv:8080 # endpoint for gRPC server
tls: tls:
enabled: true # use TLS for a gRPC connection enabled: true # use TLS for a gRPC connection (min version is TLS 1.2)
certificate: /path/to/cert # path to TLS certificate certificate: /path/to/cert # path to TLS certificate
key: /path/to/key # path to TLS key key: /path/to/key # path to TLS key
@ -45,6 +45,11 @@ grpc:
endpoint: s02.neofs.devenv:8080 # endpoint for gRPC server endpoint: s02.neofs.devenv:8080 # endpoint for gRPC server
tls: tls:
enabled: false # use TLS for a gRPC connection enabled: false # use TLS for a gRPC connection
2:
endpoint: s03.neofs.devenv:8080
tls:
enabled: true
use_insecure_crypto: true # allow using insecure ciphers with TLS 1.2
control: control:
authorized_keys: # list of hex-encoded public keys that have rights to use the Control Service authorized_keys: # list of hex-encoded public keys that have rights to use the Control Service