Mirrors/coredns
1
0
Fork 0
mirror of https://github.com/coredns/coredns.git synced 2025-10-31 18:23:13 -04:00
Code Issues Packages Projects Releases Wiki Activity

Harden tls on all places (#5184)

Browse Source 
PR 2938 hardens tls though there are other places that uses TLS
as well and setTLSDefaults are not invoked in other paths.

This PR hardens tls on all places.

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This commit is contained in:
Yong Tang
2022-02-17 12:26:08 -08:00
committed by GitHub
parent f8a02aaf58
commit c0c72e5894
2 changed files with 24 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
plugin/pkg/tls/tls.go
View File

@@ -11,6 +11,22 @@ import (
"time" "time"
) )
func setTLSDefaults(ctls *tls.Config) {
ctls.MinVersion = tls.VersionTLS12
ctls.MaxVersion = tls.VersionTLS13
ctls.CipherSuites = []uint16{
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
}
}
// NewTLSConfigFromArgs returns a TLS config based upon the passed // NewTLSConfigFromArgs returns a TLS config based upon the passed
// in list of arguments. Typically these come straight from the // in list of arguments. Typically these come straight from the
// Corefile. // Corefile.
@@ -76,7 +92,10 @@ func NewTLSConfig(certPath, keyPath, caPath string) (*tls.Config, error) {
return nil, err return nil, err
} }
return &tls.Config{Certificates: []tls.Certificate{cert}, RootCAs: roots}, nil tlsConfig := &tls.Config{Certificates: []tls.Certificate{cert}, RootCAs: roots}
setTLSDefaults(tlsConfig)
return tlsConfig, nil
} }
// NewTLSClientConfig returns a TLS config for a client connection // NewTLSClientConfig returns a TLS config for a client connection
@@ -87,7 +106,10 @@ func NewTLSClientConfig(caPath string) (*tls.Config, error) {
return nil, err return nil, err
} }
return &tls.Config{RootCAs: roots}, nil tlsConfig := &tls.Config{RootCAs: roots}
setTLSDefaults(tlsConfig)
return tlsConfig, nil
} }
func loadRoots(caPath string) (*x509.CertPool, error) { func loadRoots(caPath string) (*x509.CertPool, error) {

18
plugin/tls/tls.go
View File

@@ -19,22 +19,6 @@ func setup(c *caddy.Controller) error {
return nil return nil
} }
func setTLSDefaults(tls *ctls.Config) {
tls.MinVersion = ctls.VersionTLS12
tls.MaxVersion = ctls.VersionTLS13
tls.CipherSuites = []uint16{
ctls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
ctls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
ctls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
ctls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
ctls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
ctls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
ctls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
ctls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
ctls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
}
}
func parseTLS(c *caddy.Controller) error { func parseTLS(c *caddy.Controller) error {
config := dnsserver.GetConfig(c) config := dnsserver.GetConfig(c)
@@ -81,8 +65,6 @@ func parseTLS(c *caddy.Controller) error {
// NewTLSConfigFromArgs only sets RootCAs, so we need to let ClientCAs refer to it. // NewTLSConfigFromArgs only sets RootCAs, so we need to let ClientCAs refer to it.
tls.ClientCAs = tls.RootCAs tls.ClientCAs = tls.RootCAs
setTLSDefaults(tls)
config.TLSConfig = tls config.TLSConfig = tls
} }
return nil return nil