[FAB-4848] Only allow TLS 1.2

Prior to this change, it was possible to use TLS version < 1.2 to connect to gRPC endpoints. This change sets the min/max TLS version to 1.2 for the common gRPC server used by all production gRPC endpoints. It does not change the min version for the various generic gRPC servers used in other tests. Change-Id: Ibf34777976551d12861599fb5ef37a93b07ece95 Signed-off-by: Gari Singh <gari.r.singh@gmail.com>
hyperledger · Jun 18, 2017 · 3e1e4ad · 3e1e4ad
1 parent feded5a
commit 3e1e4ad
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 12 deletions.
diff --git a/core/comm/creds.go b/core/comm/creds.go
@@ -33,6 +33,9 @@ func NewServerTransportCredentials(serverConfig *tls.Config) credentials.Transpo
 	// NOTE: unlike the default grpc/credentials implementation, we do not
 	// clone the tls.Config which allows us to update it dynamically
 	serverConfig.NextProtos = alpnProtoStr
+	// override TLS version and ensure it is 1.2
+	serverConfig.MinVersion = tls.VersionTLS12
+	serverConfig.MaxVersion = tls.VersionTLS12
 	return &serverCreds{serverConfig}
 }
 

diff --git a/core/comm/server_test.go b/core/comm/server_test.go
@@ -1,17 +1,7 @@
 /*
-Copyright IBM Corp. 2016 All Rights Reserved.
+Copyright IBM Corp. All Rights Reserved.
 
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-		 http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
+SPDX-License-Identifier: Apache-2.0
 */
 
 package comm_test
@@ -641,6 +631,20 @@ func TestNewSecureGRPCServer(t *testing.T) {
 	} else {
 		t.Log("GRPC client successfully invoked the EmptyCall service: " + testAddress)
 	}
+
+	// ensure that TLS 1.2 in required / enforced
+	for _, tlsVersion := range []uint16{tls.VersionSSL30, tls.VersionTLS10, tls.VersionTLS11} {
+		_, err = invokeEmptyCall(testAddress,
+			[]grpc.DialOption{grpc.WithTransportCredentials(
+				credentials.NewTLS(&tls.Config{
+					RootCAs:    certPool,
+					MinVersion: tlsVersion,
+					MaxVersion: tlsVersion,
+				}))})
+		t.Logf("TLSVersion [%d] failed with [%s]", tlsVersion, err)
+		assert.Error(t, err, "Should not have been able to connect with TLS version < 1.2")
+		assert.Contains(t, err.Error(), "protocol version not supported")
+	}
 }
 
 func TestNewSecureGRPCServerFromListener(t *testing.T) {