TLS update min version and cipher suits

min version set to tls 1.2 suit only use ecdhe and strenth above 256 Signed-off-by: DQ <dengq@vmware.com>
2024-11-27 12:46:03 +01:00 · 2020-04-13 16:41:19 +08:00 · 2020-04-13 16:41:19 +08:00 · b3db293091
commit b3db293091
parent 009662a317
4 changed files with 30 additions and 8 deletions
--- a/src/common/http/tls.go
+++ b/src/common/http/tls.go
@ -60,3 +60,24 @@ func GetInternalTLSConfig() (*tls.Config, error) {
 		Certificates: []tls.Certificate{cert},
 	}, nil
 }
+
+// NewServerTLSConfig returns a modern tls config,
+// refer to https://blog.cloudflare.com/exposing-go-on-the-internet/
+func NewServerTLSConfig() *tls.Config {
+	return &tls.Config{
+		PreferServerCipherSuites: true,
+		CurvePreferences: []tls.CurveID{
+			tls.CurveP256,
+			tls.X25519,
+		},
+		MinVersion: tls.VersionTLS12,
+		CipherSuites: []uint16{
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+		},
+	}
+}
--- a/src/core/main.go
+++ b/src/core/main.go
@ -24,6 +24,7 @@ import (

 	"github.com/astaxie/beego"
 	_ "github.com/astaxie/beego/session/redis"
+
 	"github.com/goharbor/harbor/src/common/dao"
 	common_http "github.com/goharbor/harbor/src/common/http"
 	"github.com/goharbor/harbor/src/common/job"
@ -163,10 +164,12 @@ func main() {
 		iTLSCertPath := os.Getenv("INTERNAL_TLS_CERT_PATH")

 		log.Infof("load client key: %s client cert: %s", iTLSKeyPath, iTLSCertPath)
+		beego.BConfig.Listen.EnableHTTP = false
 		beego.BConfig.Listen.EnableHTTPS = true
 		beego.BConfig.Listen.HTTPSPort = 8443
 		beego.BConfig.Listen.HTTPSKeyFile = iTLSKeyPath
 		beego.BConfig.Listen.HTTPSCertFile = iTLSCertPath
+		beego.BeeApp.Server.TLSConfig = common_http.NewServerTLSConfig()
 	}

 	log.Infof("Version: %s, Git commit: %s", version.ReleaseVersion, version.GitCommit)
--- a/src/jobservice/api/server.go
+++ b/src/jobservice/api/server.go
@ -70,14 +70,13 @@ func NewServer(ctx context.Context, router Router, cfg ServerConfig) *Server {
 		WriteTimeout: 15 * time.Second,
 		ReadTimeout:  15 * time.Second,
 		IdleTimeout:  60 * time.Second,
+		TLSConfig:    commonhttp.NewServerTLSConfig(),
 	}

 	// Initialize TLS/SSL config if protocol is https
 	if cfg.Protocol == config.JobServiceProtocolHTTPS && commonhttp.InternalEnableVerifyClientCert() {
 		logger.Infof("mTLS enabled ...")
-		srv.TLSConfig = &tls.Config{
-			ClientAuth: tls.RequireAndVerifyClientCert,
-		}
+		srv.TLSConfig.ClientAuth = tls.RequireAndVerifyClientCert
 	}

 	apiServer.httpServer = srv
--- a/src/registryctl/main.go
+++ b/src/registryctl/main.go
@ -34,16 +34,15 @@ type RegistryCtl struct {
 // Start the registry controller
 func (s *RegistryCtl) Start() {
 	regCtl := &http.Server{
-		Addr:    ":" + s.ServerConf.Port,
-		Handler: s.Handler,
+		Addr:      ":" + s.ServerConf.Port,
+		Handler:   s.Handler,
+		TLSConfig: common_http.NewServerTLSConfig(),
 	}

 	var err error
 	if s.ServerConf.Protocol == "https" {
 		if common_http.InternalEnableVerifyClientCert() {
-			regCtl.TLSConfig = &tls.Config{
-				ClientAuth: tls.RequireAndVerifyClientCert,
-			}
+			regCtl.TLSConfig.ClientAuth = tls.RequireAndVerifyClientCert
 		}
 		err = regCtl.ListenAndServeTLS(s.ServerConf.HTTPSConfig.Cert, s.ServerConf.HTTPSConfig.Key)
 	} else {