Infrastructure/zot
0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2024-12-30 22:34:13 -05:00
Code Issues Activity

tls: set min version to 1.2 and restrict cipher suites

Browse source 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
This commit is contained in:
Ramkumar Chinchani 2022-03-01 20:57:56 +00:00 committed by Ramkumar Chinchani
parent 45968e0bb7
commit 3ada6af0de
5 changed files with 90 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

47
.github/workflows/tls.yaml vendored Normal file
View file

@ -0,0 +1,47 @@
name: "TLS protocol scan"
on:
push:
branches:
- main
pull_request:
# The branches below must be a subset of the branches above
branches: [main]
jobs:
tls-check:
runs-on: ubuntu-latest
strategy:
matrix:
os: [linux]
arch: [amd64]
name: TLS check
steps:
- uses: actions/checkout@v2
- uses: actions/setup-go@v2
with:
go-version: 1.17.x
- name: Install dependencies
run: |
cd $GITHUB_WORKSPACE
sudo apt-get update
sudo apt-get install -y apache2-utils openssl
mkdir -p test/data
cd test/data
../scripts/gen_certs.sh
htpasswd -bBn test test123 > htpasswd
- name: Check for TLS settings
continue-on-error: true
run: |
cd $GITHUB_WORKSPACE
make OS=$OS ARCH=$ARCH binary
bin/zot-$OS-$ARCH serve examples/config-tls.json &
sleep 5
curl -kv --tls-max 1.0 -0 https://localhost:8080/v2/
if [[ "$?" -eq 0 ]]; then echo "TLSv1.0 detected"; exit 1; fi
curl -kv --tls-max 1.1 -0 https://localhost:8080/v2/
if [[ "$?" -eq 0 ]]; then echo "TLSv1.1 detected"; exit 1; fi
curl -kv --tls-max 1.2 -0 https://localhost:8080/v2/
if [[ "$?" -ne 0 ]]; then echo "TLSv1.2 missing"; exit 1; fi
env:
OS: ${{ matrix.os }}
ARCH: ${{ matrix.arch }}

18
examples/config-tls.json Normal file
View file

@ -0,0 +1,18 @@
{
"version":"0.1.0-dev",
"storage":{
"rootDirectory":"/tmp/zot"
},
"http": {
"address":"127.0.0.1",
"port":"8080",
"realm":"zot",
"tls": {
"cert":"test/data/server.cert",
"key":"test/data/server.key"
}
},
"log":{
"level":"debug"
}
}

4
go.mod
View file

@ -55,7 +55,7 @@ require (
github.com/urfave/cli/v2 v2.3.0
github.com/vektah/gqlparser/v2 v2.2.0
go.etcd.io/bbolt v1.3.6
golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa
golang.org/x/crypto v0.0.0-20220214200702-86341886e292
gopkg.in/resty.v1 v1.12.0
gopkg.in/yaml.v2 v2.4.0
)
@ -354,7 +354,7 @@ require (
go.uber.org/multierr v1.7.0 // indirect
go.uber.org/zap v1.19.1 // indirect
golang.org/x/mod v0.5.1 // indirect
golang.org/x/net v0.0.0-20211111160137-58aab5ef257a // indirect
golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2 // indirect
golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect
golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect
golang.org/x/sys v0.0.0-20220114195835-da31bd327af9 // indirect

4
go.sum
View file

@ -2580,6 +2580,8 @@ golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5y
golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa h1:idItI2DDfCokpg0N51B2VtiLdJ4vAuXC9fnCb2gACo4=
golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
golang.org/x/crypto v0.0.0-20220214200702-86341886e292 h1:f+lwQ+GtmgoY+A2YaQxlSOnDjXcQ7ZRLWOHbC6HtRqE=
golang.org/x/crypto v0.0.0-20220214200702-86341886e292/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@ -2717,6 +2719,8 @@ golang.org/x/net v0.0.0-20211005001312-d4b1ae081e3b/go.mod h1:9nx3DQGgdP8bBQD5qx
golang.org/x/net v0.0.0-20211111083644-e5c967477495/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
golang.org/x/net v0.0.0-20211111160137-58aab5ef257a h1:c83jeVQW0KGKNaKBRfelNYNHaev+qawl9yaA825s8XE=
golang.org/x/net v0.0.0-20211111160137-58aab5ef257a/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2 h1:CIJ76btIcR3eFI5EgSo6k1qKw9KJexJuRLI9G7Hp5wE=
golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
golang.org/x/oauth2 v0.0.0-20180724155351-3d292e4d0cdc/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
golang.org/x/oauth2 v0.0.0-20181017192945-9dcd33a902f4/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=

26
pkg/api/controller.go
View file

@ -164,6 +164,23 @@ func (c *Controller) Run() error {
}
if c.Config.HTTP.TLS != nil && c.Config.HTTP.TLS.Key != "" && c.Config.HTTP.TLS.Cert != "" {
server.TLSConfig = &tls.Config{
CipherSuites: []uint16{
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
},
CurvePreferences: []tls.CurveID{
tls.CurveP256,
tls.X25519,
},
PreferServerCipherSuites: true,
MinVersion: tls.VersionTLS12,
}
if c.Config.HTTP.TLS.CACert != "" {
clientAuth := tls.VerifyClientCertIfGiven
if (c.Config.HTTP.Auth == nil || c.Config.HTTP.Auth.HTPasswd.Path == "") && !c.Config.HTTP.AllowReadAccess {
@ -181,13 +198,8 @@ func (c *Controller) Run() error {
panic(errors.ErrBadCACert)
}
server.TLSConfig = &tls.Config{
ClientAuth: clientAuth,
ClientCAs: caCertPool,
PreferServerCipherSuites: true,
MinVersion: tls.VersionTLS12,
}
server.TLSConfig.BuildNameToCertificate()
server.TLSConfig.ClientAuth = clientAuth
server.TLSConfig.ClientCAs = caCertPool
}
return server.ServeTLS(listener, c.Config.HTTP.TLS.Cert, c.Config.HTTP.TLS.Key)