[#878] neofs-node: default to secure TLS settings

Support TLS >=1.2 only and strong cipher suites. Signed-off-by: Evgenii Stratonikov <evgeniy@nspcc.ru>
2021-11-30 13:07:46 +03:00 · 2021-11-30 13:07:46 +03:00 · d1be5b5f9e
commit d1be5b5f9e
parent 973e50ad72
5 changed files with 48 additions and 4 deletions
--- a/cmd/neofs-node/config/grpc/config.go
+++ b/cmd/neofs-node/config/grpc/config.go
@ -78,6 +78,11 @@ func (tls TLSConfig) CertificateFile() string {
 	return v
 }

+// UseInsecureCrypto returns true if TLS 1.2 cipher suite should not be restricted.
+func (tls TLSConfig) UseInsecureCrypto() bool {
+	return config.BoolSafe(tls.cfg, "use_insecure_crypto")
+}
+
 // IterateEndpoints iterates over subsections ["0":"N") (N - "num" value)
 // of "grpc" section of c, wrap them into Config and passes to f.
 //
--- a/cmd/neofs-node/config/grpc/config_test.go
+++ b/cmd/neofs-node/config/grpc/config_test.go
@ -31,12 +31,17 @@ func TestGRPCSection(t *testing.T) {
 			case 0:
 				require.Equal(t, "s01.neofs.devenv:8080", sc.Endpoint())

+				require.NotNil(t, tls)
 				require.Equal(t, "/path/to/cert", tls.CertificateFile())
 				require.Equal(t, "/path/to/key", tls.KeyFile())
+				require.False(t, tls.UseInsecureCrypto())
 			case 1:
 				require.Equal(t, "s02.neofs.devenv:8080", sc.Endpoint())
-
 				require.Nil(t, tls)
+			case 2:
+				require.Equal(t, "s03.neofs.devenv:8080", sc.Endpoint())
+				require.NotNil(t, tls)
+				require.True(t, tls.UseInsecureCrypto())
 			}
 		})
 	}
--- a/cmd/neofs-node/grpc.go
+++ b/cmd/neofs-node/grpc.go
@ -1,6 +1,7 @@
 package main

 import (
+	"crypto/tls"
 	"fmt"
 	"net"

@ -25,8 +26,29 @@ func initGRPC(c *cfg) {
 		tlsCfg := sc.TLS()

 		if tlsCfg != nil {
-			creds, err := credentials.NewServerTLSFromFile(tlsCfg.CertificateFile(), tlsCfg.KeyFile())
-			fatalOnErrDetails("could not read credentials from file", err)
+			cert, err := tls.LoadX509KeyPair(tlsCfg.CertificateFile(), tlsCfg.KeyFile())
+			fatalOnErrDetails("could not read certificate from file", err)
+
+			var cipherSuites []uint16
+			if !tlsCfg.UseInsecureCrypto() {
+				// This more or less follows the list in https://wiki.mozilla.org/Security/Server_Side_TLS
+				// excluding:
+				// 1. TLS 1.3 suites need not be specified here.
+				// 2. Suites that use DH key exchange are not implemented by stdlib.
+				cipherSuites = []uint16{
+					tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+					tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+					tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+					tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+					tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+					tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+				}
+			}
+			creds := credentials.NewTLS(&tls.Config{
+				MinVersion:   tls.VersionTLS12,
+				CipherSuites: cipherSuites,
+				Certificates: []tls.Certificate{cert},
+			})

 			serverOpts = append(serverOpts, grpc.Creds(creds))
 		}
--- a/config/example/node.json
+++ b/config/example/node.json
@ -53,6 +53,13 @@
      "tls": {
        "enabled": false
      }
+    },
+    "2": {
+      "endpoint": "s03.neofs.devenv:8080",
+      "tls": {
+        "enabled": true,
+        "use_insecure_crypto": true
+      }
    }
  },
  "control": {
--- a/config/example/node.yaml
+++ b/config/example/node.yaml
@ -37,7 +37,7 @@ grpc:
  0:
    endpoint: s01.neofs.devenv:8080  # endpoint for gRPC server
    tls:
-      enabled: true  # use TLS for a gRPC connection
+      enabled: true  # use TLS for a gRPC connection (min version is TLS 1.2)
      certificate: /path/to/cert  # path to TLS certificate
      key: /path/to/key  # path to TLS key

@ -45,6 +45,11 @@ grpc:
    endpoint: s02.neofs.devenv:8080  # endpoint for gRPC server
    tls:
      enabled: false  # use TLS for a gRPC connection
+  2:
+    endpoint: s03.neofs.devenv:8080
+    tls:
+      enabled: true
+      use_insecure_crypto: true # allow using insecure ciphers with TLS 1.2

 control:
  authorized_keys:  # list of hex-encoded public keys that have rights to use the Control Service