Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hardened tls cipher suits and added option for tls min version #315

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Hardened tls cipher suits and added option for tls min version #315

wants to merge 4 commits into from

Conversation

DarkSpir
Copy link

@DarkSpir DarkSpir commented Dec 5, 2024
edited
Loading

What is the purpose of this change? What does it change?

With tls activated, the rest-server will provide insecure tls versions and insecure or broken tls cipher suits. This change configures the default settings in tls mode, sets a secure set of cipher suits (according to CIS NGINX Benchmark v2.1.0) and sets up TLSv1.2 as min version. It also adds a command line parameter to select a different version as min version.

The current version of the crypto.tls library also sets a small, secure set of cipher suits as default and limits the available TLS versions to 1.2 and 1.3. Earlier versions are also available but have to be explicitly enabled during compilation.

Was the change discussed in an issue or in the forum before?

Closes #251

Checklist

  • I have enabled maintainer edits for this PR
  • I have added tests for all changes in this PR
  • I have added documentation for the changes (in the manual)
  • There's a new file in changelog/unreleased/ that describes the changes for our users (template here)
  • I have run gofmt on the code in all commits
  • All commit messages are formatted in the same style as the other commits in the repo
  • I'm done, this Pull Request is ready for review

darkspir and others added 4 commits December 5, 2024 12:58
handlers.go: Added parameter for TLS min version
ddc5ad1 
rest-server/main.go: Added parameter handling for TLS min version

rest-server/main.go: Added crypto.tls, implemented and configured tlsConfig object
@DarkSpir
tls min version parameter documentation
250bcb5
Style correction of previous commits according to gofmt output
3fa600b
Added changelog documentation
ba80de0
@DarkSpir
Copy link
Author

DarkSpir commented Dec 5, 2024

I actually have no idea how the tests work. From what I can guess out of main_test.go I assume it tests the program response to certain conditions to ensure it will throw errors when parameters are missing or misleading. If that's the case I think it is not necessary to add tests for what I did, because if --tls-min-ver is missing or provides a wrong value, it defaults to TLSv1.2. Even when a user sets --tls-min-ver 1.0 and the build option is not set, the library will internally default to 1.2.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Secure default or configurable TLS settings
1 participant
@DarkSpir