From b3db293091b1247973aae176b2e733debd87047b Mon Sep 17 00:00:00 2001
From: DQ <dengq@vmware.com>
Date: Mon, 13 Apr 2020 16:41:19 +0800
Subject: [PATCH 1/2] TLS update min version and cipher suits

min version set to tls 1.2
suit only use ecdhe and strenth above 256

Signed-off-by: DQ <dengq@vmware.com>
---
 src/common/http/tls.go       | 21 +++++++++++++++++++++
 src/core/main.go             |  3 +++
 src/jobservice/api/server.go |  5 ++---
 src/registryctl/main.go      |  9 ++++-----
 4 files changed, 30 insertions(+), 8 deletions(-)

diff --git a/src/common/http/tls.go b/src/common/http/tls.go
index be7959ee7..20583a8fd 100644
--- a/src/common/http/tls.go
+++ b/src/common/http/tls.go
@@ -60,3 +60,24 @@ func GetInternalTLSConfig() (*tls.Config, error) {
 		Certificates: []tls.Certificate{cert},
 	}, nil
 }
+
+// NewServerTLSConfig returns a modern tls config,
+// refer to https://blog.cloudflare.com/exposing-go-on-the-internet/
+func NewServerTLSConfig() *tls.Config {
+	return &tls.Config{
+		PreferServerCipherSuites: true,
+		CurvePreferences: []tls.CurveID{
+			tls.CurveP256,
+			tls.X25519,
+		},
+		MinVersion: tls.VersionTLS12,
+		CipherSuites: []uint16{
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+		},
+	}
+}
diff --git a/src/core/main.go b/src/core/main.go
index 0489d8f15..4d0e86b07 100755
--- a/src/core/main.go
+++ b/src/core/main.go
@@ -24,6 +24,7 @@ import (
 
 	"github.com/astaxie/beego"
 	_ "github.com/astaxie/beego/session/redis"
+
 	"github.com/goharbor/harbor/src/common/dao"
 	common_http "github.com/goharbor/harbor/src/common/http"
 	"github.com/goharbor/harbor/src/common/job"
@@ -163,10 +164,12 @@ func main() {
 		iTLSCertPath := os.Getenv("INTERNAL_TLS_CERT_PATH")
 
 		log.Infof("load client key: %s client cert: %s", iTLSKeyPath, iTLSCertPath)
+		beego.BConfig.Listen.EnableHTTP = false
 		beego.BConfig.Listen.EnableHTTPS = true
 		beego.BConfig.Listen.HTTPSPort = 8443
 		beego.BConfig.Listen.HTTPSKeyFile = iTLSKeyPath
 		beego.BConfig.Listen.HTTPSCertFile = iTLSCertPath
+		beego.BeeApp.Server.TLSConfig = common_http.NewServerTLSConfig()
 	}
 
 	log.Infof("Version: %s, Git commit: %s", version.ReleaseVersion, version.GitCommit)
diff --git a/src/jobservice/api/server.go b/src/jobservice/api/server.go
index 2898b9f9c..5295989da 100644
--- a/src/jobservice/api/server.go
+++ b/src/jobservice/api/server.go
@@ -70,14 +70,13 @@ func NewServer(ctx context.Context, router Router, cfg ServerConfig) *Server {
 		WriteTimeout: 15 * time.Second,
 		ReadTimeout:  15 * time.Second,
 		IdleTimeout:  60 * time.Second,
+		TLSConfig:    commonhttp.NewServerTLSConfig(),
 	}
 
 	// Initialize TLS/SSL config if protocol is https
 	if cfg.Protocol == config.JobServiceProtocolHTTPS && commonhttp.InternalEnableVerifyClientCert() {
 		logger.Infof("mTLS enabled ...")
-		srv.TLSConfig = &tls.Config{
-			ClientAuth: tls.RequireAndVerifyClientCert,
-		}
+		srv.TLSConfig.ClientAuth = tls.RequireAndVerifyClientCert
 	}
 
 	apiServer.httpServer = srv
diff --git a/src/registryctl/main.go b/src/registryctl/main.go
index 89d7ceaae..b910465db 100644
--- a/src/registryctl/main.go
+++ b/src/registryctl/main.go
@@ -34,16 +34,15 @@ type RegistryCtl struct {
 // Start the registry controller
 func (s *RegistryCtl) Start() {
 	regCtl := &http.Server{
-		Addr:    ":" + s.ServerConf.Port,
-		Handler: s.Handler,
+		Addr:      ":" + s.ServerConf.Port,
+		Handler:   s.Handler,
+		TLSConfig: common_http.NewServerTLSConfig(),
 	}
 
 	var err error
 	if s.ServerConf.Protocol == "https" {
 		if common_http.InternalEnableVerifyClientCert() {
-			regCtl.TLSConfig = &tls.Config{
-				ClientAuth: tls.RequireAndVerifyClientCert,
-			}
+			regCtl.TLSConfig.ClientAuth = tls.RequireAndVerifyClientCert
 		}
 		err = regCtl.ListenAndServeTLS(s.ServerConf.HTTPSConfig.Cert, s.ServerConf.HTTPSConfig.Key)
 	} else {

From 75f78b64b2c9b8efa29be098af737f8d7929e437 Mon Sep 17 00:00:00 2001
From: DQ <dengq@vmware.com>
Date: Mon, 13 Apr 2020 17:50:37 +0800
Subject: [PATCH 2/2] Set registry tls version to 1.2

when internal tls enabled set min version of registry to 1.2

Signed-off-by: DQ <dengq@vmware.com>
---
 make/photon/prepare/templates/registry/config.yml.jinja | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/make/photon/prepare/templates/registry/config.yml.jinja b/make/photon/prepare/templates/registry/config.yml.jinja
index 89d2fac2f..0acfeaa17 100644
--- a/make/photon/prepare/templates/registry/config.yml.jinja
+++ b/make/photon/prepare/templates/registry/config.yml.jinja
@@ -23,6 +23,8 @@ redis:
 http:
 {% if internal_tls.enabled %}
   addr: :5443
+  tls:
+    minimumtls: tls1.2
 {% else %}
   addr: :5000
 {% endif %}