From b3db293091b1247973aae176b2e733debd87047b Mon Sep 17 00:00:00 2001 From: DQ Date: Mon, 13 Apr 2020 16:41:19 +0800 Subject: [PATCH] TLS update min version and cipher suits min version set to tls 1.2 suit only use ecdhe and strenth above 256 Signed-off-by: DQ --- src/common/http/tls.go | 21 +++++++++++++++++++++ src/core/main.go | 3 +++ src/jobservice/api/server.go | 5 ++--- src/registryctl/main.go | 9 ++++----- 4 files changed, 30 insertions(+), 8 deletions(-) diff --git a/src/common/http/tls.go b/src/common/http/tls.go index be7959ee7..20583a8fd 100644 --- a/src/common/http/tls.go +++ b/src/common/http/tls.go @@ -60,3 +60,24 @@ func GetInternalTLSConfig() (*tls.Config, error) { Certificates: []tls.Certificate{cert}, }, nil } + +// NewServerTLSConfig returns a modern tls config, +// refer to https://blog.cloudflare.com/exposing-go-on-the-internet/ +func NewServerTLSConfig() *tls.Config { + return &tls.Config{ + PreferServerCipherSuites: true, + CurvePreferences: []tls.CurveID{ + tls.CurveP256, + tls.X25519, + }, + MinVersion: tls.VersionTLS12, + CipherSuites: []uint16{ + tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, + tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, + tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + }, + } +} diff --git a/src/core/main.go b/src/core/main.go index 0489d8f15..4d0e86b07 100755 --- a/src/core/main.go +++ b/src/core/main.go @@ -24,6 +24,7 @@ import ( "github.com/astaxie/beego" _ "github.com/astaxie/beego/session/redis" + "github.com/goharbor/harbor/src/common/dao" common_http "github.com/goharbor/harbor/src/common/http" "github.com/goharbor/harbor/src/common/job" @@ -163,10 +164,12 @@ func main() { iTLSCertPath := os.Getenv("INTERNAL_TLS_CERT_PATH") log.Infof("load client key: %s client cert: %s", iTLSKeyPath, iTLSCertPath) + beego.BConfig.Listen.EnableHTTP = false beego.BConfig.Listen.EnableHTTPS = true beego.BConfig.Listen.HTTPSPort = 8443 beego.BConfig.Listen.HTTPSKeyFile = iTLSKeyPath beego.BConfig.Listen.HTTPSCertFile = iTLSCertPath + beego.BeeApp.Server.TLSConfig = common_http.NewServerTLSConfig() } log.Infof("Version: %s, Git commit: %s", version.ReleaseVersion, version.GitCommit) diff --git a/src/jobservice/api/server.go b/src/jobservice/api/server.go index 2898b9f9c..5295989da 100644 --- a/src/jobservice/api/server.go +++ b/src/jobservice/api/server.go @@ -70,14 +70,13 @@ func NewServer(ctx context.Context, router Router, cfg ServerConfig) *Server { WriteTimeout: 15 * time.Second, ReadTimeout: 15 * time.Second, IdleTimeout: 60 * time.Second, + TLSConfig: commonhttp.NewServerTLSConfig(), } // Initialize TLS/SSL config if protocol is https if cfg.Protocol == config.JobServiceProtocolHTTPS && commonhttp.InternalEnableVerifyClientCert() { logger.Infof("mTLS enabled ...") - srv.TLSConfig = &tls.Config{ - ClientAuth: tls.RequireAndVerifyClientCert, - } + srv.TLSConfig.ClientAuth = tls.RequireAndVerifyClientCert } apiServer.httpServer = srv diff --git a/src/registryctl/main.go b/src/registryctl/main.go index 89d7ceaae..b910465db 100644 --- a/src/registryctl/main.go +++ b/src/registryctl/main.go @@ -34,16 +34,15 @@ type RegistryCtl struct { // Start the registry controller func (s *RegistryCtl) Start() { regCtl := &http.Server{ - Addr: ":" + s.ServerConf.Port, - Handler: s.Handler, + Addr: ":" + s.ServerConf.Port, + Handler: s.Handler, + TLSConfig: common_http.NewServerTLSConfig(), } var err error if s.ServerConf.Protocol == "https" { if common_http.InternalEnableVerifyClientCert() { - regCtl.TLSConfig = &tls.Config{ - ClientAuth: tls.RequireAndVerifyClientCert, - } + regCtl.TLSConfig.ClientAuth = tls.RequireAndVerifyClientCert } err = regCtl.ListenAndServeTLS(s.ServerConf.HTTPSConfig.Cert, s.ServerConf.HTTPSConfig.Key) } else {