From 16259ed70a4cd57513be40a0678213d9274a9ae8 Mon Sep 17 00:00:00 2001 From: Yacov Manevich Date: Mon, 21 Jun 2021 23:04:02 +0300 Subject: [PATCH] Mandate TLS 1.2 or higher in fabhttp package This commit ensures that the HTTP server that is spawned by the fabhttp package only accepts TLS handshakes from clients that attempt to use TLS 1.2 or higher. Change-Id: Ia25482d9c96f68506724a58258451311b3d63208 Signed-off-by: Yacov Manevich --- common/fabhttp/fabhttp_suite_test.go | 6 +++++- common/fabhttp/server_test.go | 22 ++++++++++++++++++++++ common/fabhttp/tls.go | 1 + common/fabhttp/tls_test.go | 1 + 4 files changed, 29 insertions(+), 1 deletion(-) diff --git a/common/fabhttp/fabhttp_suite_test.go b/common/fabhttp/fabhttp_suite_test.go index e66c2d9a05f..011169d5642 100644 --- a/common/fabhttp/fabhttp_suite_test.go +++ b/common/fabhttp/fabhttp_suite_test.go @@ -48,7 +48,7 @@ func generateCertificates(tempDir string) { Expect(err).NotTo(HaveOccurred()) } -func newHTTPClient(tlsDir string, withClientCert bool) *http.Client { +func newHTTPClient(tlsDir string, withClientCert bool, tlsOpts ...func(config *tls.Config)) *http.Client { clientCertPool := x509.NewCertPool() caCert, err := ioutil.ReadFile(filepath.Join(tlsDir, "server-ca.pem")) Expect(err).NotTo(HaveOccurred()) @@ -66,6 +66,10 @@ func newHTTPClient(tlsDir string, withClientCert bool) *http.Client { tlsClientConfig.Certificates = []tls.Certificate{clientCert} } + for _, opt := range tlsOpts { + opt(tlsClientConfig) + } + return &http.Client{ Transport: &http.Transport{ TLSClientConfig: tlsClientConfig, diff --git a/common/fabhttp/server_test.go b/common/fabhttp/server_test.go index 5d2248e578d..b8dcac1cc8d 100644 --- a/common/fabhttp/server_test.go +++ b/common/fabhttp/server_test.go @@ -7,6 +7,7 @@ SPDX-License-Identifier: Apache-2.0 package fabhttp_test import ( + "crypto/tls" "fmt" "io/ioutil" "net" @@ -67,6 +68,27 @@ var _ = Describe("Server", func() { } }) + When("trying to connect with an old TLS version", func() { + BeforeEach(func() { + tlsOpts := []func(config *tls.Config){func(config *tls.Config) { + config.MaxVersion = tls.VersionTLS11 + config.ClientAuth = tls.RequireAndVerifyClientCert + }} + + client = newHTTPClient(tempDir, true, tlsOpts...) + }) + + It("does not answer clients using an older TLS version than 1.2", func() { + server.RegisterHandler(AdditionalTestApiPath, &fakes.Handler{Code: http.StatusOK, Text: "secure"}, options.TLS.Enabled) + err := server.Start() + Expect(err).NotTo(HaveOccurred()) + + addApiURL := fmt.Sprintf("https://%s%s", server.Addr(), AdditionalTestApiPath) + _, err = client.Get(addApiURL) + Expect(err.Error()).To(ContainSubstring("tls: protocol version not supported")) + }) + }) + It("does not host a secure endpoint for additional APIs by default", func() { err := server.Start() Expect(err).NotTo(HaveOccurred()) diff --git a/common/fabhttp/tls.go b/common/fabhttp/tls.go index dd426bcdcd7..9e17c776d9b 100644 --- a/common/fabhttp/tls.go +++ b/common/fabhttp/tls.go @@ -39,6 +39,7 @@ func (t TLS) Config() (*tls.Config, error) { caCertPool.AppendCertsFromPEM(caPem) } tlsConfig = &tls.Config{ + MinVersion: tls.VersionTLS12, Certificates: []tls.Certificate{cert}, CipherSuites: comm.DefaultTLSCipherSuites, ClientCAs: caCertPool, diff --git a/common/fabhttp/tls_test.go b/common/fabhttp/tls_test.go index a74f778d6cb..f6efe689ebf 100644 --- a/common/fabhttp/tls_test.go +++ b/common/fabhttp/tls_test.go @@ -65,6 +65,7 @@ var _ = Describe("TLS", func() { tlsConfig.ClientCAs = nil Expect(tlsConfig).To(Equal(&tls.Config{ + MinVersion: tls.VersionTLS12, Certificates: []tls.Certificate{cert}, CipherSuites: []uint16{ tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,