CB-28864: Make TLS version and cipher suites configurable

Author: szabolcs-horvath

Makefile

@@ -1,6 +1,6 @@
 BINARY=salt-bootstrap
 
-VERSION=0.14.2
+VERSION=0.14.3
 BUILD_TIME=$(shell date +%FT%T)
 LDFLAGS=-ldflags "-X github.com/hortonworks/salt-bootstrap/saltboot.Version=${VERSION} -X github.com/hortonworks/salt-bootstrap/saltboot.BuildTime=${BUILD_TIME}"
 GOFILES_NOVENDOR = $(shell find . -type f -name '*.go' -not -path "./vendor/*" -not -path "./.git/*")

saltboot/distributor.go

@@ -30,11 +30,15 @@ func determineProtocol(httpsEnabled bool) string {
 
 func getHttpClient(httpsEnabled bool) *http.Client {
 	if httpsEnabled {
+		httpsConfig := GetHttpsConfig()
 		transport := http.DefaultTransport.(*http.Transport).Clone()
 		if transport.TLSClientConfig == nil {
 			transport.TLSClientConfig = &tls.Config{}
 		}
 		transport.TLSClientConfig.InsecureSkipVerify = true
+		transport.TLSClientConfig.MinVersion = httpsConfig.MinTlsVersion
+		transport.TLSClientConfig.MaxVersion = httpsConfig.MaxTlsVersion
+		transport.TLSClientConfig.CipherSuites = httpsConfig.CipherSuites
 
 		return &http.Client{
 			Transport: transport,

saltboot/netutil.go

@@ -1,6 +1,7 @@
 package saltboot
 
 import (
+	"crypto/tls"
 	"fmt"
 	"io/ioutil"
 	"log"
@@ -12,17 +13,22 @@ import (
 )
 
 const (
-	httpsEnabledKey           = "SALTBOOT_HTTPS_ENABLED"
-	portKey                   = "SALTBOOT_PORT"
-	defaultPort               = 7070
-	httpsPortKey              = "SALTBOOT_HTTPS_PORT"
-	defaultHttpsPort          = 7071
-	httpsCertFileKey          = "SALTBOOT_HTTPS_CERT_FILE"
-	defaultHttpsCertFile      = "/etc/certs/cluster.pem"
-	httpsKeyFileKey           = "SALTBOOT_HTTPS_KEY_FILE"
-	defaultHttpsKeyFile       = "/etc/certs/cluster-key.pem"
-	httpsCaCertFileKey        = "SALTBOOT_HTTPS_CACERT_FILE"
-	defaultHttpsCaCertFileKey = "/etc/certs/ca.pem"
+	httpsEnabledKey        = "SALTBOOT_HTTPS_ENABLED"
+	portKey                = "SALTBOOT_PORT"
+	defaultPort            = 7070
+	httpsPortKey           = "SALTBOOT_HTTPS_PORT"
+	defaultHttpsPort       = 7071
+	httpsCertFileKey       = "SALTBOOT_HTTPS_CERT_FILE"
+	defaultHttpsCertFile   = "/etc/certs/cluster.pem"
+	httpsKeyFileKey        = "SALTBOOT_HTTPS_KEY_FILE"
+	defaultHttpsKeyFile    = "/etc/certs/cluster-key.pem"
+	httpsCaCertFileKey     = "SALTBOOT_HTTPS_CACERT_FILE"
+	defaultHttpsCaCertFile = "/etc/certs/ca.pem"
+	minTlsVersionKey       = "SALTBOOT_MIN_TLS_VERSION"
+	defaultMinTlsVersion   = tls.VersionTLS12
+	maxTlsVersionKey       = "SALTBOOT_MAX_TLS_VERSION"
+	defaultMaxTlsVersion   = tls.VersionTLS13
+	cipherSuitesKey        = "SALTBOOT_CIPHER_SUITES"
 
 	userKey          = "SALTBOOT_USER"
 	passwdKey        = "SALTBOOT_PASSWORD"
@@ -31,10 +37,49 @@ const (
 	defaultConfigLoc = "/etc/salt-bootstrap/security-config.yml"
 )
 
+var tlsVersionMap = map[string]uint16{
+	"1.0": tls.VersionTLS10,
+	"1.1": tls.VersionTLS11,
+	"1.2": tls.VersionTLS12,
+	"1.3": tls.VersionTLS13,
+}
+
+/**
+ * This slice matches the list of cipher suites specified in https://pkg.go.dev/crypto/tls@go1.14.3#pkg-constants
+ * Only the TLS 1.0-1.2 cipher suites are listed, since according to the go documentation "...TLS 1.3 ciphersuites are not configurable."
+ */
+var cipherSuiteMap = map[string]uint16{
+	"TLS_RSA_WITH_RC4_128_SHA":                      tls.TLS_RSA_WITH_RC4_128_SHA,
+	"TLS_RSA_WITH_3DES_EDE_CBC_SHA":                 tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+	"TLS_RSA_WITH_AES_128_CBC_SHA":                  tls.TLS_RSA_WITH_AES_128_CBC_SHA,
+	"TLS_RSA_WITH_AES_256_CBC_SHA":                  tls.TLS_RSA_WITH_AES_256_CBC_SHA,
+	"TLS_RSA_WITH_AES_128_CBC_SHA256":               tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
+	"TLS_RSA_WITH_AES_128_GCM_SHA256":               tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
+	"TLS_RSA_WITH_AES_256_GCM_SHA384":               tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
+	"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA":              tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
+	"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA":          tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+	"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA":          tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+	"TLS_ECDHE_RSA_WITH_RC4_128_SHA":                tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA,
+	"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA":           tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+	"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA":            tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+	"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA":            tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+	"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256":       tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+	"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256":         tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+	"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256":         tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+	"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256":       tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+	"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384":         tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+	"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384":       tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+	"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256":   tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+	"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256": tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+}
+
 type HttpsConfig struct {
-	CertFile   string `json:"certFile" yaml:"certFile"`
-	KeyFile    string `json:"keyFile" yaml:"keyFile"`
-	CaCertFile string `json:"caCertFile" yaml:"caCertFile"`
+	CertFile      string   `json:"certFile" yaml:"certFile"`
+	KeyFile       string   `json:"keyFile" yaml:"keyFile"`
+	CaCertFile    string   `json:"caCertFile" yaml:"caCertFile"`
+	MinTlsVersion uint16   `json:"minTlsVersion" yaml:"minTlsVersion"`
+	MaxTlsVersion uint16   `json:"maxTlsVersion" yaml:"maxTlsVersion"`
+	CipherSuites  []uint16 `json:"cipherSuites" yaml:"cipherSuites"`
 }
 
 type SecurityConfig struct {
@@ -43,6 +88,19 @@ type SecurityConfig struct {
 	SignVerifyKey string `json:"signKey" yaml:"signKey"`
 }
 
+func defaultCipherSuites() []uint16 {
+	return []uint16{
+		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+		tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+		tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+	}
+}
+
 func defaultSecurityConfigLoc() string {
 	return defaultConfigLoc
 }
@@ -107,9 +165,9 @@ func GetHttpsConfig() HttpsConfig {
 	certFileStr := os.Getenv(httpsCertFileKey)
 	keyFileStr := os.Getenv(httpsKeyFileKey)
 	caCertFileStr := os.Getenv(httpsCaCertFileKey)
-	log.Printf("[GetHttpsConfig] %s: %s", httpsCertFileKey, certFileStr)
-	log.Printf("[GetHttpsConfig] %s: %s", httpsKeyFileKey, keyFileStr)
-	log.Printf("[GetHttpsConfig] %s: %s", httpsCaCertFileKey, caCertFileStr)
+	minTlsVersionStr := os.Getenv(minTlsVersionKey)
+	maxTlsVersionStr := os.Getenv(maxTlsVersionKey)
+	cipherSuitesStr := os.Getenv(cipherSuitesKey)
 
 	if certFileStr == "" {
 		httpsConfig.CertFile = defaultHttpsCertFile
@@ -124,11 +182,43 @@ func GetHttpsConfig() HttpsConfig {
 		httpsConfig.KeyFile = keyFileStr
 	}
 	if caCertFileStr == "" {
-		httpsConfig.CaCertFile = defaultHttpsCaCertFileKey
-		log.Printf("[GetHttpsConfig] using default ca cert file: %s", defaultHttpsCaCertFileKey)
+		httpsConfig.CaCertFile = defaultHttpsCaCertFile
+		log.Printf("[GetHttpsConfig] using default ca cert file: %s", defaultHttpsCaCertFile)
 	} else {
 		httpsConfig.CaCertFile = caCertFileStr
 	}
+	if minTlsVersionStr == "" {
+		httpsConfig.MinTlsVersion = defaultMinTlsVersion
+		log.Printf("[GetHttpsConfig] using default min TLS version: %s", tlsVersionToString(defaultMinTlsVersion))
+	} else {
+		minTlsVersion, valid := tlsVersionMap[minTlsVersionStr]
+		if !valid {
+			log.Fatalf("[GetHttpsConfig] The specified TLS version is not a valid TLS version: %s", minTlsVersionStr)
+		}
+		httpsConfig.MinTlsVersion = minTlsVersion
+	}
+	if maxTlsVersionStr == "" {
+		httpsConfig.MaxTlsVersion = defaultMaxTlsVersion
+		log.Printf("[GetHttpsConfig] using default max TLS version: %s", tlsVersionToString(defaultMaxTlsVersion))
+	} else {
+		maxTlsVersion, valid := tlsVersionMap[maxTlsVersionStr]
+		if !valid {
+			log.Fatalf("[GetHttpsConfig] The specified TLS version is not a valid TLS version: %s", maxTlsVersionStr)
+		}
+		httpsConfig.MaxTlsVersion = maxTlsVersion
+	}
+	if cipherSuitesStr == "" {
+		httpsConfig.CipherSuites = defaultCipherSuites()
+		log.Printf("[GetHttpsConfig] using default list of cipher suites: %s", MapUint16ToString(defaultCipherSuites(), cipherSuiteToString))
+	} else {
+		httpsConfig.CipherSuites = MapStringToUint16(strings.Split(cipherSuitesStr, ","), func(s string) uint16 {
+			cipherSuite, valid := cipherSuiteMap[s]
+			if !valid {
+				log.Fatalf("[GetHttpsConfig] The specified cipher suite is not a valid cipher suite: %s", s)
+			}
+			return cipherSuite
+		})
+	}
 	return httpsConfig
 }
 
@@ -158,6 +248,24 @@ func GetConcatenatedCertFilePath(httpsConfig HttpsConfig) (string, error) {
 	return tmpFile.Name(), nil
 }
 
+func tlsVersionToString(tlsVersion uint16) string {
+	for str, constant := range tlsVersionMap {
+		if constant == tlsVersion {
+			return str
+		}
+	}
+	return fmt.Sprintf("(0x%04x)", tlsVersion)
+}
+
+func cipherSuiteToString(cipherSuite uint16) string {
+	for str, constant := range cipherSuiteMap {
+		if constant == cipherSuite {
+			return str
+		}
+	}
+	return fmt.Sprintf("(0x%04x)", cipherSuite)
+}
+
 func DetermineSecurityDetails(getEnv func(key string) string, securityConfig func() string) (*SecurityConfig, error) {
 	var config SecurityConfig
 	configLoc := strings.TrimSpace(getEnv(configLocKey))

saltboot/netutil_test.go

@@ -1,7 +1,10 @@
 package saltboot
 
 import (
+	"crypto/tls"
+	"log"
 	"os"
+	"os/exec"
 	"strings"
 	"testing"
 )
@@ -54,14 +57,13 @@ func TestDetermineHttpsPortDefault(t *testing.T) {
 
 func TestDetermineHttpsPortCustom(t *testing.T) {
 	os.Setenv(httpsPortKey, "8080")
+	defer os.Unsetenv(httpsPortKey)
 
 	port := DetermineHttpsPort()
 
 	if port != 8080 {
 		t.Errorf("port does not match the custom HTTPS port %d == %d", 8080, port)
 	}
-
-	os.Unsetenv(httpsPortKey)
 }
 
 func TestDetermineHttpPortDefault(t *testing.T) {
@@ -74,14 +76,13 @@ func TestDetermineHttpPortDefault(t *testing.T) {
 
 func TestDetermineHttpPortCustom(t *testing.T) {
 	os.Setenv(portKey, "8080")
+	defer os.Unsetenv(portKey)
 
 	port := DetermineHttpPort()
 
 	if port != 8080 {
 		t.Errorf("port does not match the custom port %d == %d", 8080, port)
 	}
-
-	os.Unsetenv(portKey)
 }
 
 func TestGetHttpsConfigDefault(t *testing.T) {
@@ -93,35 +94,115 @@ func TestGetHttpsConfigDefault(t *testing.T) {
 	if httpsConfig.KeyFile != defaultHttpsKeyFile {
 		t.Errorf("key file does not match the default %s == %s", defaultHttpsKeyFile, httpsConfig.KeyFile)
 	}
-	if httpsConfig.CaCertFile != defaultHttpsCaCertFileKey {
-		t.Errorf("ca cert file does not match the default %s == %s", defaultHttpsCaCertFileKey, httpsConfig.CaCertFile)
+	if httpsConfig.CaCertFile != defaultHttpsCaCertFile {
+		t.Errorf("ca cert file does not match the default %s == %s", defaultHttpsCaCertFile, httpsConfig.CaCertFile)
+	}
+	if httpsConfig.MinTlsVersion != defaultMinTlsVersion {
+		t.Errorf("min TLS version does not match the default %d == %d", defaultMinTlsVersion, httpsConfig.MinTlsVersion)
+	}
+	if httpsConfig.MaxTlsVersion != defaultMaxTlsVersion {
+		t.Errorf("max TLS version does not match the default %d == %d", defaultMaxTlsVersion, httpsConfig.MaxTlsVersion)
+	}
+	if !EqualUint16Slices(httpsConfig.CipherSuites, defaultCipherSuites()) {
+		t.Errorf("list of cipher suites does not match the default list %d == %d", defaultCipherSuites(), httpsConfig.CipherSuites)
 	}
 }
 
 func TestGetHttpsConfigCustom(t *testing.T) {
 	os.Setenv(httpsCertFileKey, "path/certfile.pem")
 	os.Setenv(httpsKeyFileKey, "path/keyfile.pem")
 	os.Setenv(httpsCaCertFileKey, "path/ca.pem")
+	os.Setenv(minTlsVersionKey, "1.1")
+	os.Setenv(maxTlsVersionKey, "1.2")
+	os.Setenv(cipherSuitesKey, "TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384")
+	defer os.Unsetenv(httpsCertFileKey)
+	defer os.Unsetenv(httpsKeyFileKey)
+	defer os.Unsetenv(httpsCaCertFileKey)
+	defer os.Unsetenv(minTlsVersionKey)
+	defer os.Unsetenv(maxTlsVersionKey)
+	defer os.Unsetenv(cipherSuitesKey)
 
 	httpsConfig := GetHttpsConfig()
 
 	if httpsConfig.CertFile != "path/certfile.pem" {
-		t.Errorf("cert file does not match the default %s == %s", "path/certfile.pem", httpsConfig.CertFile)
+		t.Errorf("cert file does not match the one specified %s == %s", "path/certfile.pem", httpsConfig.CertFile)
 	}
 	if httpsConfig.KeyFile != "path/keyfile.pem" {
-		t.Errorf("key file does not match the default %s == %s", "path/keyfile.pem", httpsConfig.KeyFile)
+		t.Errorf("key file does not match the one specified %s == %s", "path/keyfile.pem", httpsConfig.KeyFile)
 	}
 	if httpsConfig.CaCertFile != "path/ca.pem" {
-		t.Errorf("ca cert file does not match the default %s == %s", "path/ca.pem", httpsConfig.CaCertFile)
+		t.Errorf("ca cert file does not match the one specified %s == %s", "path/ca.pem", httpsConfig.CaCertFile)
+	}
+	if httpsConfig.MinTlsVersion != tls.VersionTLS11 {
+		t.Errorf("min TLS version does not match the one specified %d == %d", tls.VersionTLS11, httpsConfig.MinTlsVersion)
+	}
+	if httpsConfig.MaxTlsVersion != tls.VersionTLS12 {
+		t.Errorf("max TLS version does not match the one specified %d == %d", tls.VersionTLS12, httpsConfig.MaxTlsVersion)
+	}
+	expectedCipherSuites := []uint16{tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA, tls.TLS_RSA_WITH_AES_256_GCM_SHA384}
+	if !EqualUint16Slices(httpsConfig.CipherSuites, expectedCipherSuites) {
+		t.Errorf("list of cipher suites does not match the one specified %d == %d", expectedCipherSuites, httpsConfig.CipherSuites)
+	}
+}
+
+func TestGetHttpsConfigInvalidMinTlsVersion(t *testing.T) {
+	os.Setenv(minTlsVersionKey, "0.9")
+	defer os.Unsetenv(minTlsVersionKey)
+	if os.Getenv("SALTBOOT_MIN_TLS_CRASHER") == "1" {
+		GetHttpsConfig()
+		return
+	}
+	cmd := exec.Command(os.Args[0], "-test.run=TestGetHttpsConfigInvalidMinTlsVersion")
+	cmd.Env = append(cmd.Env, "SALTBOOT_MIN_TLS_CRASHER=1")
+	cmd.Stderr = os.Stderr
+
+	err := cmd.Run()
+
+	if e, ok := err.(*exec.ExitError); ok && !e.Success() {
+		log.Printf("Process exited as expected: %v", err)
+		return
+	}
+	t.Errorf("Process did not exit as expected: %v", err)
+}
+
+func TestGetHttpsConfigInvalidMaxTlsVersion(t *testing.T) {
+	os.Setenv(maxTlsVersionKey, "0.9")
+	defer os.Unsetenv(maxTlsVersionKey)
+	if os.Getenv("SALTBOOT_MAX_TLS_CRASHER") == "1" {
+		GetHttpsConfig()
+		return
 	}
+	cmd := exec.Command(os.Args[0], "-test.run=TestGetHttpsConfigInvalidMaxTlsVersion")
+	cmd.Env = append(cmd.Env, "SALTBOOT_MAX_TLS_CRASHER=1")
+	cmd.Stderr = os.Stderr
+
+	err := cmd.Run()
 
-	os.Unsetenv(httpsCertFileKey)
-	os.Unsetenv(httpsKeyFileKey)
-	os.Unsetenv(httpsCaCertFileKey)
+	if e, ok := err.(*exec.ExitError); ok && !e.Success() {
+		log.Printf("Process exited as expected: %v", err)
+		return
+	}
+	t.Errorf("Process did not exit as expected: %v", err)
 }
 
-func TestGetConcatenatedCertFilePath(t *testing.T) {
+func TestGetHttpsConfigInvalidCipherSuite(t *testing.T) {
+	os.Setenv(cipherSuitesKey, "TLS_ECDHE_RSA_WITH_RC4_128_SHA,NOT_GOOD_VERY_BAD_CIPHER_SUITE,TLS_RSA_WITH_AES_256_GCM_SHA384")
+	defer os.Unsetenv(cipherSuitesKey)
+	if os.Getenv("SALTBOOT_CIPHER_SUITES_CRASHER") == "1" {
+		GetHttpsConfig()
+		return
+	}
+	cmd := exec.Command(os.Args[0], "-test.run=TestGetHttpsConfigInvalidCipherSuite")
+	cmd.Env = append(cmd.Env, "SALTBOOT_CIPHER_SUITES_CRASHER=1")
+	cmd.Stderr = os.Stderr
+
+	err := cmd.Run()
 
+	if e, ok := err.(*exec.ExitError); ok && !e.Success() {
+		log.Printf("Process exited as expected: %v", err)
+		return
+	}
+	t.Errorf("Process did not exit as expected: %v", err)
 }
 
 func TestConfigfileFoundByEnv(t *testing.T) {