Mandate TLS 1.2 or higher in fabhttp package

This commit ensures that the HTTP server that is spawned by the fabhttp package only accepts TLS handshakes from clients that attempt to use TLS 1.2 or higher. Change-Id: Ia25482d9c96f68506724a58258451311b3d63208 Signed-off-by: Yacov Manevich <yacovm@il.ibm.com>
hyperledger · Jun 21, 2021 · 16259ed · 16259ed
1 parent b5a4fe9
commit 16259ed
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 1 deletion.
diff --git a/common/fabhttp/fabhttp_suite_test.go b/common/fabhttp/fabhttp_suite_test.go
@@ -48,7 +48,7 @@ func generateCertificates(tempDir string) {
 	Expect(err).NotTo(HaveOccurred())
 }
 
-func newHTTPClient(tlsDir string, withClientCert bool) *http.Client {
+func newHTTPClient(tlsDir string, withClientCert bool, tlsOpts ...func(config *tls.Config)) *http.Client {
 	clientCertPool := x509.NewCertPool()
 	caCert, err := ioutil.ReadFile(filepath.Join(tlsDir, "server-ca.pem"))
 	Expect(err).NotTo(HaveOccurred())
@@ -66,6 +66,10 @@ func newHTTPClient(tlsDir string, withClientCert bool) *http.Client {
 		tlsClientConfig.Certificates = []tls.Certificate{clientCert}
 	}
 
+	for _, opt := range tlsOpts {
+		opt(tlsClientConfig)
+	}
+
 	return &http.Client{
 		Transport: &http.Transport{
 			TLSClientConfig: tlsClientConfig,

diff --git a/common/fabhttp/server_test.go b/common/fabhttp/server_test.go
@@ -7,6 +7,7 @@ SPDX-License-Identifier: Apache-2.0
 package fabhttp_test
 
 import (
+	"crypto/tls"
 	"fmt"
 	"io/ioutil"
 	"net"
@@ -67,6 +68,27 @@ var _ = Describe("Server", func() {
 		}
 	})
 
+	When("trying to connect with an old TLS version", func() {
+		BeforeEach(func() {
+			tlsOpts := []func(config *tls.Config){func(config *tls.Config) {
+				config.MaxVersion = tls.VersionTLS11
+				config.ClientAuth = tls.RequireAndVerifyClientCert
+			}}
+
+			client = newHTTPClient(tempDir, true, tlsOpts...)
+		})
+
+		It("does not answer clients using an older TLS version than 1.2", func() {
+			server.RegisterHandler(AdditionalTestApiPath, &fakes.Handler{Code: http.StatusOK, Text: "secure"}, options.TLS.Enabled)
+			err := server.Start()
+			Expect(err).NotTo(HaveOccurred())
+
+			addApiURL := fmt.Sprintf("https://%s%s", server.Addr(), AdditionalTestApiPath)
+			_, err = client.Get(addApiURL)
+			Expect(err.Error()).To(ContainSubstring("tls: protocol version not supported"))
+		})
+	})
+
 	It("does not host a secure endpoint for additional APIs by default", func() {
 		err := server.Start()
 		Expect(err).NotTo(HaveOccurred())

diff --git a/common/fabhttp/tls.go b/common/fabhttp/tls.go
@@ -39,6 +39,7 @@ func (t TLS) Config() (*tls.Config, error) {
 			caCertPool.AppendCertsFromPEM(caPem)
 		}
 		tlsConfig = &tls.Config{
+			MinVersion:   tls.VersionTLS12,
 			Certificates: []tls.Certificate{cert},
 			CipherSuites: comm.DefaultTLSCipherSuites,
 			ClientCAs:    caCertPool,

diff --git a/common/fabhttp/tls_test.go b/common/fabhttp/tls_test.go
@@ -65,6 +65,7 @@ var _ = Describe("TLS", func() {
 		tlsConfig.ClientCAs = nil
 
 		Expect(tlsConfig).To(Equal(&tls.Config{
+			MinVersion:   tls.VersionTLS12,
 			Certificates: []tls.Certificate{cert},
 			CipherSuites: []uint16{
 				tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,