Merge pull request #11592 from ninjadq/min_version_tls_to_12

Min version tls to 12

make/photon/prepare/templates/registry/config.yml.jinja

@@ -23,6 +23,8 @@ redis:
 http:
 {% if internal_tls.enabled %}
   addr: :5443
+  tls:
+    minimumtls: tls1.2
 {% else %}
   addr: :5000
 {% endif %}

src/common/http/tls.go

@@ -60,3 +60,24 @@ func GetInternalTLSConfig() (*tls.Config, error) {
 		Certificates: []tls.Certificate{cert},
 	}, nil
 }
+
+// NewServerTLSConfig returns a modern tls config,
+// refer to https://blog.cloudflare.com/exposing-go-on-the-internet/
+func NewServerTLSConfig() *tls.Config {
+	return &tls.Config{
+		PreferServerCipherSuites: true,
+		CurvePreferences: []tls.CurveID{
+			tls.CurveP256,
+			tls.X25519,
+		},
+		MinVersion: tls.VersionTLS12,
+		CipherSuites: []uint16{
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+		},
+	}
+}

src/core/main.go

@@ -24,6 +24,7 @@ import (
 
 	"github.com/astaxie/beego"
 	_ "github.com/astaxie/beego/session/redis"
+
 	"github.com/goharbor/harbor/src/common/dao"
 	common_http "github.com/goharbor/harbor/src/common/http"
 	"github.com/goharbor/harbor/src/common/job"
@@ -163,10 +164,12 @@ func main() {
 		iTLSCertPath := os.Getenv("INTERNAL_TLS_CERT_PATH")
 
 		log.Infof("load client key: %s client cert: %s", iTLSKeyPath, iTLSCertPath)
+		beego.BConfig.Listen.EnableHTTP = false
 		beego.BConfig.Listen.EnableHTTPS = true
 		beego.BConfig.Listen.HTTPSPort = 8443
 		beego.BConfig.Listen.HTTPSKeyFile = iTLSKeyPath
 		beego.BConfig.Listen.HTTPSCertFile = iTLSCertPath
+		beego.BeeApp.Server.TLSConfig = common_http.NewServerTLSConfig()
 	}
 
 	log.Infof("Version: %s, Git commit: %s", version.ReleaseVersion, version.GitCommit)

src/jobservice/api/server.go

@@ -70,14 +70,13 @@ func NewServer(ctx context.Context, router Router, cfg ServerConfig) *Server {
 		WriteTimeout: 15 * time.Second,
 		ReadTimeout:  15 * time.Second,
 		IdleTimeout:  60 * time.Second,
+		TLSConfig:    commonhttp.NewServerTLSConfig(),
 	}
 
 	// Initialize TLS/SSL config if protocol is https
 	if cfg.Protocol == config.JobServiceProtocolHTTPS && commonhttp.InternalEnableVerifyClientCert() {
 		logger.Infof("mTLS enabled ...")
-		srv.TLSConfig = &tls.Config{
+		srv.TLSConfig.ClientAuth = tls.RequireAndVerifyClientCert
-			ClientAuth: tls.RequireAndVerifyClientCert,
-		}
 	}
 
 	apiServer.httpServer = srv

src/registryctl/main.go

@@ -34,16 +34,15 @@ type RegistryCtl struct {
 // Start the registry controller
 func (s *RegistryCtl) Start() {
 	regCtl := &http.Server{
-		Addr:    ":" + s.ServerConf.Port,
+		Addr:      ":" + s.ServerConf.Port,
-		Handler: s.Handler,
+		Handler:   s.Handler,
+		TLSConfig: common_http.NewServerTLSConfig(),
 	}
 
 	var err error
 	if s.ServerConf.Protocol == "https" {
 		if common_http.InternalEnableVerifyClientCert() {
-			regCtl.TLSConfig = &tls.Config{
+			regCtl.TLSConfig.ClientAuth = tls.RequireAndVerifyClientCert
-				ClientAuth: tls.RequireAndVerifyClientCert,
-			}
 		}
 		err = regCtl.ListenAndServeTLS(s.ServerConf.HTTPSConfig.Cert, s.ServerConf.HTTPSConfig.Key)
 	} else {