privilege: add min TLS version for LDAP (pingcap#50527)

ref pingcap#36036
bb7133 · Jan 31, 2024 · 0c1b094 · 0c1b094
1 parent 38dd336
commit 0c1b094
Show file tree

Hide file tree

Showing 3 changed files with 67 additions and 0 deletions.
diff --git a/pkg/privilege/privileges/ldap/BUILD.bazel b/pkg/privilege/privileges/ldap/BUILD.bazel
@@ -29,5 +29,6 @@ go_test(
         "test/ldap.key",
     ],
     flaky = True,
+    shard_count = 3,
     deps = ["@com_github_stretchr_testify//require"],
 )
diff --git a/pkg/privilege/privileges/ldap/ldap_common.go b/pkg/privilege/privileges/ldap/ldap_common.go
@@ -123,6 +123,7 @@ func (impl *ldapAuthImpl) tryConnectLDAPThroughStartTLS(address string) (*ldap.C
 	err = ldapConnection.StartTLS(&tls.Config{
 		RootCAs:    impl.caPool,
 		ServerName: impl.ldapServerHost,
+		MinVersion: tls.VersionTLS12,
 	})
 	if err != nil {
 		ldapConnection.Close()
@@ -136,6 +137,7 @@ func (impl *ldapAuthImpl) tryConnectLDAPThroughTLS(address string) (*ldap.Conn,
 	ldapConnection, err := ldap.DialTLS("tcp", address, &tls.Config{
 		RootCAs:    impl.caPool,
 		ServerName: impl.ldapServerHost,
+		MinVersion: tls.VersionTLS12,
 	})
 	if err != nil {
 		return nil, err

diff --git a/pkg/privilege/privileges/ldap/ldap_common_test.go b/pkg/privilege/privileges/ldap/ldap_common_test.go
@@ -108,3 +108,67 @@ func TestConnectThrough636(t *testing.T) {
 	require.NoError(t, err)
 	defer conn.Close()
 }
+
+func TestConnectWithTLS11(t *testing.T) {
+	var ln net.Listener
+
+	startListen := make(chan struct{})
+
+	// this test only tests whether the LDAP with LTS enabled will fallback from StartTLS
+	randomTLSServicePort := rand.Int()%10000 + 10000
+	serverWg := &sync.WaitGroup{}
+	serverWg.Add(1)
+	go func() {
+		defer close(startListen)
+		defer serverWg.Done()
+
+		cert, err := tls.X509KeyPair(tlsCrtStr, tlsKeyStr)
+		require.NoError(t, err)
+		tlsConfig := &tls.Config{
+			Certificates: []tls.Certificate{cert},
+			MaxVersion:   tls.VersionTLS11,
+		}
+		ln, err = tls.Listen("tcp", fmt.Sprintf("localhost:%d", randomTLSServicePort), tlsConfig)
+		require.NoError(t, err)
+		startListen <- struct{}{}
+
+		for {
+			conn, err := ln.Accept()
+			if err != nil {
+				break
+			}
+
+			// handling one connection at a time is enough for test
+			func() {
+				defer func() {
+					require.NoError(t, conn.Close())
+				}()
+
+				r := bufio.NewReader(conn)
+				for {
+					_, err := r.ReadByte()
+					if err != nil {
+						break
+					}
+				}
+			}()
+		}
+	}()
+
+	<-startListen
+	defer func() {
+		require.NoError(t, ln.Close())
+		serverWg.Wait()
+	}()
+
+	impl := &ldapAuthImpl{}
+	impl.SetEnableTLS(true)
+	impl.SetLDAPServerHost("localhost")
+	impl.SetLDAPServerPort(randomTLSServicePort)
+
+	impl.caPool = x509.NewCertPool()
+	require.True(t, impl.caPool.AppendCertsFromPEM(tlsCAStr))
+
+	_, err := impl.connectionFactory()
+	require.ErrorContains(t, err, "protocol version not supported")
+}