tls: add cipher flag #9216
tls: add cipher flag #9216
Conversation
|
@dvonthenen Could you help review this? Thanks! |
|
@gyuho sure thing! |
etcdctl/ctlv2/command/util.go
Outdated
| @@ -167,16 +170,24 @@ func getTransport(c *cli.Context) (*http.Transport, error) { | |||
| if keyfile == "" { | |||
| keyfile = os.Getenv("ETCDCTL_KEY_FILE") | |||
| } | |||
| if insecureSkipVerify == false { | |||
| insecureSkipVerify = os.Getenv("ETCDCTL_INSECURE_SKIP_TLS_VERIFY") != "" | |||
There was a problem hiding this comment.
I think this should be something to the effect of insecureSkipVerify = strings.EqualFold(os.Getenv("ETCDCTL_INSECURE_SKIP_TLS_VERIFY"), "TRUE"). Anything that doesn't match "true" from the ENV VAR is considered implicitly false.
|
@ThatsMrTalbot In reference to only working with I did test setting a single arbitrary shared cipher between etcd and etcdctl (in my test case TLS_RSA_WITH_AES_256_GCM_SHA384) and it seemed to work just fine. Just a quick look at OpenSSL latest using the -tls1_2 option, the only mutual ones are (the one with the [ ] is the one you noted works) again this depends on the version you are using:
|
etcdctl/ctlv2/ctl.go
Outdated
| cli.GenericFlag{Name: "cipher-suites", | ||
| Value: flags.NewStringSliceFlag(tlsutil.AvailableCipherSuites()...), | ||
| Usage: "Comma-separated list of cipher suites for the server. " + | ||
| "Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). " + |
There was a problem hiding this comment.
suggest enumerating the values in AvailableCipherSuites() rather than referencing godoc
| @@ -54,6 +56,12 @@ func Start(apiv string) { | |||
| cli.StringFlag{Name: "cert-file", Value: "", Usage: "identify HTTPS client using this SSL certificate file"}, | |||
| cli.StringFlag{Name: "key-file", Value: "", Usage: "identify HTTPS client using this SSL key file"}, | |||
| cli.StringFlag{Name: "ca-file", Value: "", Usage: "verify certificates of HTTPS-enabled servers using this CA bundle"}, | |||
| cli.BoolFlag{Name: "insecure-skip-tls-verify", Usage: "skip server certificate verification"}, | |||
| cli.GenericFlag{Name: "cipher-suites", | |||
| Value: flags.NewStringSliceFlag(tlsutil.AvailableCipherSuites()...), | |||
There was a problem hiding this comment.
does this mean AvailableCipherSuites() is the default value? I didn't think all available ciphers were included in the default set in go
There was a problem hiding this comment.
It is used to validate the provided list, but the default value is still a nil slice (which is what is currently used)
| @@ -155,6 +156,8 @@ func getTransport(c *cli.Context) (*http.Transport, error) { | |||
| cafile := c.GlobalString("ca-file") | |||
| certfile := c.GlobalString("cert-file") | |||
| keyfile := c.GlobalString("key-file") | |||
| insecureSkipVerify := c.GlobalBool("insecure-skip-tls-verify") | |||
There was a problem hiding this comment.
why do we need this in this PR?
There was a problem hiding this comment.
agree, would like this removed
| @@ -55,6 +58,12 @@ func Start(apiv string) { | |||
| cli.StringFlag{Name: "cert-file", Value: "", Usage: "identify HTTPS client using this SSL certificate file"}, | |||
| cli.StringFlag{Name: "key-file", Value: "", Usage: "identify HTTPS client using this SSL key file"}, | |||
| cli.StringFlag{Name: "ca-file", Value: "", Usage: "verify certificates of HTTPS-enabled servers using this CA bundle"}, | |||
| cli.BoolFlag{Name: "insecure-skip-tls-verify", Usage: "skip server certificate verification"}, | |||
There was a problem hiding this comment.
do we need this in this PR? or it can be separated to another one?
There was a problem hiding this comment.
I added it to make local testing easier, can break it out if you want
| @@ -63,6 +65,9 @@ func init() { | |||
| rootCmd.PersistentFlags().StringVar(&globalFlags.TLS.CertFile, "cert", "", "identify secure client using this TLS certificate file") | |||
| rootCmd.PersistentFlags().StringVar(&globalFlags.TLS.KeyFile, "key", "", "identify secure client using this TLS key file") | |||
| rootCmd.PersistentFlags().StringVar(&globalFlags.TLS.CAFile, "cacert", "", "verify certificates of TLS-enabled secure servers using this CA bundle") | |||
| rootCmd.PersistentFlags().StringSliceVar(&globalFlags.TLS.CipherSuites, "cipher-suites", nil, "comma-separated list of cipher suites for the server. "+ | |||
| "Available cipher suites include "+strings.Join(tlsutil.AvailableCipherSuites(), ",")+". "+ | |||
There was a problem hiding this comment.
nit: join with ", " so text can wrap
| @@ -158,6 +160,8 @@ security flags: | |||
| peer TLS using self-generated certificates if --peer-key-file and --peer-cert-file are not provided. | |||
| --peer-crl-file '' | |||
| path to the peer certificate revocation list file. | |||
| --cipher-suites '' | |||
| comma-separated list of cipher suites for the server. Available cipher suites include ` + strings.Join(tlsutil.AvailableCipherSuites(), ",") + `. If omitted, the default Go cipher suites will be used. | |||
|
|
||
| // StringSliceFlag implements the flag.Value and pflag.Value interfaces. | ||
| type StringSliceFlag struct { | ||
| Values []string |
There was a problem hiding this comment.
this is a confusing name, maybe ValidValues instead?
|
|
||
| // NewStringSliceFlag creates a new string slice flag for which any one of the given | ||
| // strings is a valid value, and any other value is an error. | ||
| func NewStringSliceFlag(valids ...string) *StringSliceFlag { |
There was a problem hiding this comment.
suggest giving separate control over valid values and default value(s), instead of assuming []string{}
| return c | ||
| } | ||
|
|
||
| func TLSCipherSuites(cipherNames []string) ([]uint16, error) { |
There was a problem hiding this comment.
suggest a test like https://github.com/kubernetes/kubernetes/pull/48859/files#diff-4deda4b18dd1fb07896598924e440970R77 to make sure this doesn't drift or lag golang supported ciphers
|
Default should be empty, and let Go populate the list with prioritized ordering. |
WIP implementation of TLS Cyphers flags (#8320)
This adds a new flag to the client and server specifying what tls cypher suites to enable, if not set then the full set will be available
It currently only seems to work when the TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 cipher suite is provided. If it isn't in the list then I get an error in the etcd logs (see below) and
openssl s_client -connect 127.0.0.1:2379 -tls1_2refuses to connectError from etcd logs when TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 is not provided:
Any insight would be appreciated