Harden tls on all places (#5184)

PR 2938 hardens tls though there are other places that uses TLS as well and setTLSDefaults are not invoked in other paths. This PR hardens tls on all places. Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2025-10-31 02:03:20 -04:00 · 2022-02-17 12:26:08 -08:00
parent f8a02aaf58
commit c0c72e5894
2 changed files with 24 additions and 20 deletions
--- a/plugin/pkg/tls/tls.go
+++ b/plugin/pkg/tls/tls.go
@@ -11,6 +11,22 @@ import (
 	"time"
 )

+func setTLSDefaults(ctls *tls.Config) {
+	ctls.MinVersion = tls.VersionTLS12
+	ctls.MaxVersion = tls.VersionTLS13
+	ctls.CipherSuites = []uint16{
+		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+		tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+	}
+}
+
 // NewTLSConfigFromArgs returns a TLS config based upon the passed
 // in list of arguments. Typically these come straight from the
 // Corefile.
@@ -76,7 +92,10 @@ func NewTLSConfig(certPath, keyPath, caPath string) (*tls.Config, error) {
 		return nil, err
 	}

-	return &tls.Config{Certificates: []tls.Certificate{cert}, RootCAs: roots}, nil
+	tlsConfig := &tls.Config{Certificates: []tls.Certificate{cert}, RootCAs: roots}
+	setTLSDefaults(tlsConfig)
+
+	return tlsConfig, nil
 }

 // NewTLSClientConfig returns a TLS config for a client connection
@@ -87,7 +106,10 @@ func NewTLSClientConfig(caPath string) (*tls.Config, error) {
 		return nil, err
 	}

-	return &tls.Config{RootCAs: roots}, nil
+	tlsConfig := &tls.Config{RootCAs: roots}
+	setTLSDefaults(tlsConfig)
+
+	return tlsConfig, nil
 }

 func loadRoots(caPath string) (*x509.CertPool, error) {