From cdb62b2b77775db037532daad2a9678d8fe5877c Mon Sep 17 00:00:00 2001 From: Greg Rebholz Date: Tue, 8 Jan 2019 21:29:40 -0500 Subject: [PATCH] Registry - make minimum TLS version user configurable Signed-off-by: J. Gregory Rebholz --- configuration/configuration.go | 3 +++ configuration/configuration_test.go | 2 ++ docs/configuration.md | 6 ++++-- registry/registry.go | 18 +++++++++++++++++- 4 files changed, 26 insertions(+), 3 deletions(-) diff --git a/configuration/configuration.go b/configuration/configuration.go index b347d63b9..690b8ae39 100644 --- a/configuration/configuration.go +++ b/configuration/configuration.go @@ -108,6 +108,9 @@ type Configuration struct { // A file may contain multiple CA certificates encoded as PEM ClientCAs []string `yaml:"clientcas,omitempty"` + // Specifies the lowest TLS version allowed + MinimumTLS string `yaml:"minimumtls,omitempty"` + // LetsEncrypt is used to configuration setting up TLS through // Let's Encrypt instead of manually specifying certificate and // key. If a TLS certificate is specified, the Let's Encrypt diff --git a/configuration/configuration_test.go b/configuration/configuration_test.go index e5f714867..d57fbf4fc 100644 --- a/configuration/configuration_test.go +++ b/configuration/configuration_test.go @@ -83,6 +83,7 @@ var configStruct = Configuration{ Certificate string `yaml:"certificate,omitempty"` Key string `yaml:"key,omitempty"` ClientCAs []string `yaml:"clientcas,omitempty"` + MinimumTLS string `yaml:"minimumtls,omitempty"` LetsEncrypt struct { CacheFile string `yaml:"cachefile,omitempty"` Email string `yaml:"email,omitempty"` @@ -105,6 +106,7 @@ var configStruct = Configuration{ Certificate string `yaml:"certificate,omitempty"` Key string `yaml:"key,omitempty"` ClientCAs []string `yaml:"clientcas,omitempty"` + MinimumTLS string `yaml:"minimumtls,omitempty"` LetsEncrypt struct { CacheFile string `yaml:"cachefile,omitempty"` Email string `yaml:"email,omitempty"` diff --git a/docs/configuration.md b/docs/configuration.md index 5b506758f..f9e368f99 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -777,6 +777,7 @@ http: clientcas: - /path/to/ca.pem - /path/to/another/ca.pem + minimumtls: tls1.0 letsencrypt: cachefile: /path/to/cache-file email: emailused@letsencrypt.com @@ -813,8 +814,9 @@ and proxy connections to the registry server. | Parameter | Required | Description | |-----------|----------|-------------------------------------------------------| | `certificate` | yes | Absolute path to the x509 certificate file. | -| `key` | yes | Absolute path to the x509 private key file. | -| `clientcas` | no | An array of absolute paths to x509 CA files. | +| `key` | yes | Absolute path to the x509 private key file. | +| `clientcas` | no | An array of absolute paths to x509 CA files. | +| `minimumtls` | no | Minimum TLS version allowed (tls1.0, tls1.1, tls1.2). Defaults to tls1.0 | ### `letsencrypt` diff --git a/registry/registry.go b/registry/registry.go index 18698f5bf..fd50b46a3 100644 --- a/registry/registry.go +++ b/registry/registry.go @@ -135,10 +135,26 @@ func (registry *Registry) ListenAndServe() error { } if config.HTTP.TLS.Certificate != "" || config.HTTP.TLS.LetsEncrypt.CacheFile != "" { + var tlsMinVersion uint16 + if config.HTTP.TLS.MinimumTLS == "" { + tlsMinVersion = tls.VersionTLS10 + } else { + switch config.HTTP.TLS.MinimumTLS { + case "tls1.0": + tlsMinVersion = tls.VersionTLS10 + case "tls1.1": + tlsMinVersion = tls.VersionTLS11 + case "tls1.2": + tlsMinVersion = tls.VersionTLS12 + default: + return fmt.Errorf("unknown minimum TLS level '%s' specified for http.tls.minimumtls", config.HTTP.TLS.MinimumTLS) + } + dcontext.GetLogger(registry.app).Infof("restricting TLS to %s or higher", config.HTTP.TLS.MinimumTLS) + } tlsConf := &tls.Config{ ClientAuth: tls.NoClientCert, NextProtos: nextProtos(config), - MinVersion: tls.VersionTLS10, + MinVersion: tlsMinVersion, PreferServerCipherSuites: true, CipherSuites: []uint16{ tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,