[#878] neofs-node: default to secure TLS settings

Support TLS >=1.2 only and strong cipher suites. Signed-off-by: Evgenii Stratonikov <evgeniy@nspcc.ru>
2021-11-30 13:07:46 +03:00 · 2021-11-30 13:07:46 +03:00 · d1be5b5f9e
commit d1be5b5f9e
parent 973e50ad72
5 changed files with 48 additions and 4 deletions
--- a/cmd/neofs-node/grpc.go
+++ b/cmd/neofs-node/grpc.go
@ -1,6 +1,7 @@
 package main

 import (
+	"crypto/tls"
 	"fmt"
 	"net"

@ -25,8 +26,29 @@ func initGRPC(c *cfg) {
 		tlsCfg := sc.TLS()

 		if tlsCfg != nil {
-			creds, err := credentials.NewServerTLSFromFile(tlsCfg.CertificateFile(), tlsCfg.KeyFile())
-			fatalOnErrDetails("could not read credentials from file", err)
+			cert, err := tls.LoadX509KeyPair(tlsCfg.CertificateFile(), tlsCfg.KeyFile())
+			fatalOnErrDetails("could not read certificate from file", err)
+
+			var cipherSuites []uint16
+			if !tlsCfg.UseInsecureCrypto() {
+				// This more or less follows the list in https://wiki.mozilla.org/Security/Server_Side_TLS
+				// excluding:
+				// 1. TLS 1.3 suites need not be specified here.
+				// 2. Suites that use DH key exchange are not implemented by stdlib.
+				cipherSuites = []uint16{
+					tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+					tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+					tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+					tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+					tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+					tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+				}
+			}
+			creds := credentials.NewTLS(&tls.Config{
+				MinVersion:   tls.VersionTLS12,
+				CipherSuites: cipherSuites,
+				Certificates: []tls.Certificate{cert},
+			})

 			serverOpts = append(serverOpts, grpc.Creds(creds))
 		}