Add TLS cipher suite options and CA path support

command/agent/config.go

@@ -14,10 +14,10 @@ import (
 
 	"github.com/hashicorp/consul/consul"
 	"github.com/hashicorp/consul/lib"
+	"github.com/hashicorp/consul/tlsutil"
 	"github.com/hashicorp/consul/types"
 	"github.com/hashicorp/consul/watch"
 	"github.com/mitchellh/mapstructure"
-	"github.com/hashicorp/consul/tlsutil"
 )
 
 // Ports is used to simplify the configuration by
@@ -490,8 +490,8 @@ type Config struct {
 	TLSMinVersion string `mapstructure:"tls_min_version"`
 
 	// TLSCipherSuites is used to specify the list of supported ciphersuites.
-	TLSCipherSuites []uint16 `mapstructure:"-" json:"-"`
-	TLSCipherSuitesRaw string `mapstructure:"tls_cipher_suites"`
+	TLSCipherSuites    []uint16 `mapstructure:"-" json:"-"`
+	TLSCipherSuitesRaw string   `mapstructure:"tls_cipher_suites"`
 
 	// TLSPreferServerCipherSuites specifies whether to prefer the server's ciphersuite
 	// over the client ciphersuites.

command/agent/config_test.go

@@ -12,8 +12,8 @@ import (
 	"testing"
 	"time"
 
-	"github.com/hashicorp/consul/lib"
 	"crypto/tls"
+	"github.com/hashicorp/consul/lib"
 )
 
 func TestConfigEncryptBytes(t *testing.T) {

tlsutil/config.go

@@ -418,4 +418,4 @@ func ParseCiphers(cipherStr string) ([]uint16, error) {
 	}
 
 	return suites, nil
-}
+}

tlsutil/config_test.go

@@ -6,10 +6,11 @@ import (
 	"io"
 	"io/ioutil"
 	"net"
+	"reflect"
+	"strings"
 	"testing"
 
 	"github.com/hashicorp/yamux"
-	"reflect"
 )
 
 func TestConfig_AppendCA_None(t *testing.T) {
@@ -511,24 +512,44 @@ func TestConfig_IncomingTLS_TLSMinVersion(t *testing.T) {
 }
 
 func TestConfig_ParseCiphers(t *testing.T) {
-	testOk := "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384"
+	testOk := strings.Join([]string{
+		"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
+		"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+		"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
+		"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+		"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
+		"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+		"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
+		"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+		"TLS_RSA_WITH_AES_128_CBC_SHA",
+		"TLS_RSA_WITH_AES_128_GCM_SHA256",
+		"TLS_RSA_WITH_AES_256_CBC_SHA",
+		"TLS_RSA_WITH_AES_256_GCM_SHA384",
+	}, ",")
+	ciphers := []uint16{
+		tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_RSA_WITH_AES_128_CBC_SHA,
+		tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_RSA_WITH_AES_256_CBC_SHA,
+		tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
+	}
 	v, err := ParseCiphers(testOk)
 	if err != nil {
 		t.Fatal(err)
 	}
-	if len(v) != 12 {
-		t.Fatal("missed ciphers after parse")
+	if got, want := v, ciphers; !reflect.DeepEqual(got, want) {
+		t.Fatalf("got ciphers %#v want %#v", got, want)
 	}
 
 	testBad := "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,cipherX"
 	if _, err := ParseCiphers(testBad); err == nil {
 		t.Fatal("should fail on unsupported cipherX")
 	}
-
-	testOrder := "TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256"
-	v, _ = ParseCiphers(testOrder)
-	expected := []uint16{tls.TLS_RSA_WITH_AES_256_GCM_SHA384, tls.TLS_RSA_WITH_AES_128_GCM_SHA256}
-	if !reflect.DeepEqual(expected, v) {
-		t.Fatal("cipher order is not preserved")
-	}
-}
+}