[#878] neofs-node: default to secure TLS settings

Support TLS >=1.2 only and strong cipher suites. Signed-off-by: Evgenii Stratonikov <evgeniy@nspcc.ru>
2021-11-30 13:07:46 +03:00 · 2021-11-30 13:07:46 +03:00 · d1be5b5f9e
commit d1be5b5f9e
parent 973e50ad72
5 changed files with 48 additions and 4 deletions
--- a/cmd/neofs-node/config/grpc/config.go
+++ b/cmd/neofs-node/config/grpc/config.go
@ -78,6 +78,11 @@ func (tls TLSConfig) CertificateFile() string {
 	return v
 }

+// UseInsecureCrypto returns true if TLS 1.2 cipher suite should not be restricted.
+func (tls TLSConfig) UseInsecureCrypto() bool {
+	return config.BoolSafe(tls.cfg, "use_insecure_crypto")
+}
+
 // IterateEndpoints iterates over subsections ["0":"N") (N - "num" value)
 // of "grpc" section of c, wrap them into Config and passes to f.
 //
--- a/cmd/neofs-node/config/grpc/config_test.go
+++ b/cmd/neofs-node/config/grpc/config_test.go
@ -31,12 +31,17 @@ func TestGRPCSection(t *testing.T) {
 			case 0:
 				require.Equal(t, "s01.neofs.devenv:8080", sc.Endpoint())

+				require.NotNil(t, tls)
 				require.Equal(t, "/path/to/cert", tls.CertificateFile())
 				require.Equal(t, "/path/to/key", tls.KeyFile())
+				require.False(t, tls.UseInsecureCrypto())
 			case 1:
 				require.Equal(t, "s02.neofs.devenv:8080", sc.Endpoint())
-
 				require.Nil(t, tls)
+			case 2:
+				require.Equal(t, "s03.neofs.devenv:8080", sc.Endpoint())
+				require.NotNil(t, tls)
+				require.True(t, tls.UseInsecureCrypto())
 			}
 		})
 	}
--- a/cmd/neofs-node/grpc.go
+++ b/cmd/neofs-node/grpc.go
@ -1,6 +1,7 @@
 package main

 import (
+	"crypto/tls"
 	"fmt"
 	"net"

@ -25,8 +26,29 @@ func initGRPC(c *cfg) {
 		tlsCfg := sc.TLS()

 		if tlsCfg != nil {
-			creds, err := credentials.NewServerTLSFromFile(tlsCfg.CertificateFile(), tlsCfg.KeyFile())
-			fatalOnErrDetails("could not read credentials from file", err)
+			cert, err := tls.LoadX509KeyPair(tlsCfg.CertificateFile(), tlsCfg.KeyFile())
+			fatalOnErrDetails("could not read certificate from file", err)
+
+			var cipherSuites []uint16
+			if !tlsCfg.UseInsecureCrypto() {
+				// This more or less follows the list in https://wiki.mozilla.org/Security/Server_Side_TLS
+				// excluding:
+				// 1. TLS 1.3 suites need not be specified here.
+				// 2. Suites that use DH key exchange are not implemented by stdlib.
+				cipherSuites = []uint16{
+					tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+					tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+					tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+					tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+					tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+					tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+				}
+			}
+			creds := credentials.NewTLS(&tls.Config{
+				MinVersion:   tls.VersionTLS12,
+				CipherSuites: cipherSuites,
+				Certificates: []tls.Certificate{cert},
+			})

 			serverOpts = append(serverOpts, grpc.Creds(creds))
 		}