New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added flag for user configurable cipher suites #3169
Added flag for user configurable cipher suites #3169
Conversation
regarding the golangci-lint installation method, they mention that in regards to cipher suites:before:
after
|
f04d537
to
aa22c55
Compare
When is this going to go through? TLS 1.0 in this day is wrong. |
Any plans to merge this? This is way overdue. |
@d-luu can you rebase, please? Thanks. |
aa22c55
to
44553eb
Compare
let me verify something before merging |
@milosgajdos I recall awhile back being able to pass ClientCAs via the list index |
Thanks for the awesome work on this, @d-luu I'm planning on setting this up locally over this weekend and having a proper look. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I made a small style suggestion, but this PR looks nice. Thanks for putting it together.
54cd241
to
990b318
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All I've got are nits, otherwise 🙈
registry/registry.go
Outdated
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, | ||
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, | ||
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256": tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, | ||
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256": tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was initially a little confused since for these last two 1.0 - 1.2 cipher suites the string name doesn't match the constant name. I looked it up here: https://golang.org/pkg/crypto/tls/#pkg-constants and see that you are using the legacy constant name which ultimately has the same value as the corresponding _SHA256
-suffixed constant. I think it'd be less confusing just to use the matching constant name here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can remove those
registry/registry.go
Outdated
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, | ||
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, | ||
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, | ||
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I know it probably doesn't matter much, but I would prefer to be consistent in the usage of cipher suite names by using TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
and TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
.
registry/registry.go
Outdated
if len(names) == 0 { | ||
return defaultCipherSuites, nil | ||
} | ||
cipherSuiteConsts := make([]uint16, 0) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
super nit:
cipherSuiteConsts := make([]uint16, len(names))
registry/registry.go
Outdated
if len(ids) == 0 { | ||
return nil | ||
} | ||
var names []string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: in getCipherSuites
you use a different style of slice initialization, it'd be nice to be consistent within the same commit
Codecov Report
@@ Coverage Diff @@
## main #3169 +/- ##
==========================================
+ Coverage 55.84% 56.22% +0.38%
==========================================
Files 102 102
Lines 7222 7224 +2
==========================================
+ Hits 4033 4062 +29
+ Misses 2552 2520 -32
- Partials 637 642 +5
Continue to review full report at Codecov.
|
Configuration of list of cipher suites allows a user to disable use of weak ciphers or continue to support them for legacy usage if they so choose. List of available cipher suites at: https://golang.org/pkg/crypto/tls/#pkg-constants Default cipher suites have been updated to: - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - TLS_AES_128_GCM_SHA256 - TLS_CHACHA20_POLY1305_SHA256 - TLS_AES_256_GCM_SHA384 MinimumTLS has also been updated to include TLS 1.3 as an option and now defaults to TLS 1.2 since 1.0 and 1.1 have been deprecated. Signed-off-by: David Luu <david@davidluu.info>
7fff010
to
1e625d0
Compare
squashed/rebased only |
Any plans to make a new released? Docker Registry is still using TLS 1.0 see #3333 |
I ran the registry image from the development branch (2.7.0-272-gc63b5805) and TLS 1.0 and 1.1 are deprecated as indicated by d-luu. I think it's just a matter to get the modifications in the next release. You can always do like I did and get the development registry image in the mean time. |
Configuration of list of cipher suites allows a user to disable use
of weak ciphers or continue to support them for legacy usage if they
so choose.
List of available cipher suites at:
https://golang.org/pkg/crypto/tls/#pkg-constants
Default cipher suites have been updated to:
MinimumTLS has also been updated to include TLS 1.3 as an option
and now defaults to TLS 1.2 since 1.0 and 1.1 have been deprecated.
Also updated install-dev-tools to use recommended golangci-lint
install to fix CI pipeline.
Signed-off-by: David Luu david@davidluu.info