Skip to content

Allow the config API consumer to modify the serv/client default configs #45

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Jan 31, 2018
Merged

Allow the config API consumer to modify the serv/client default configs #45

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
5bd7d32
Allow the config api consumer to modify the server and client default…
n4ss Jan 30, 2018
088c242
Add unit tests for default client&server TLS config generator modifiers
n4ss Jan 31, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 17 additions & 5 deletions tlsconfig/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,22 +65,34 @@ var allTLSVersions = map[uint16]struct{}{
}

// ServerDefault returns a secure-enough TLS configuration for the server TLS configuration.
func ServerDefault() *tls.Config {
return &tls.Config{
// Avoid fallback to SSL protocols < TLS1.0
func ServerDefault(ops ...func(*tls.Config)) *tls.Config {
tlsconfig := &tls.Config{
// Avoid fallback by default to SSL protocols < TLS1.0
MinVersion: tls.VersionTLS10,
PreferServerCipherSuites: true,
CipherSuites: DefaultServerAcceptedCiphers,
}

for _, op := range ops {
op(tlsconfig)
}

return tlsconfig
}

// ClientDefault returns a secure-enough TLS configuration for the client TLS configuration.
func ClientDefault() *tls.Config {
return &tls.Config{
func ClientDefault(ops ...func(*tls.Config)) *tls.Config {
tlsconfig := &tls.Config{
// Prefer TLS1.2 as the client minimum
MinVersion: tls.VersionTLS12,
CipherSuites: clientCipherSuites,
}

for _, op := range ops {
op(tlsconfig)
}

return tlsconfig
}

// certPool returns an X.509 certificate pool from `caFile`, the certificate file.
Expand Down
38 changes: 38 additions & 0 deletions tlsconfig/config_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -287,6 +287,44 @@ func TestConfigServerExclusiveRootPools(t *testing.T) {
}
}

// If we provide a modifier to the server's default TLS configuration generator, it
// should be applied accordingly
func TestConfigServerDefaultWithTLSMinimumModifier(t *testing.T) {
tlsVersions := []uint16{
tls.VersionTLS11,
tls.VersionTLS12,
}

for _, tlsVersion := range tlsVersions {
servDefault := ServerDefault(func(c *tls.Config) {
c.MinVersion = tlsVersion
})

if servDefault.MinVersion != tlsVersion {
t.Fatalf("Unexpected min TLS version for default server TLS config: ", servDefault.MinVersion)
}
}
}

// If we provide a modifier to the client's default TLS configuration generator, it
// should be applied accordingly
func TestConfigClientDefaultWithTLSMinimumModifier(t *testing.T) {
tlsVersions := []uint16{
tls.VersionTLS11,
tls.VersionTLS12,
}

for _, tlsVersion := range tlsVersions {
clientDefault := ClientDefault(func(c *tls.Config) {
c.MinVersion = tlsVersion
})

if clientDefault.MinVersion != tlsVersion {
t.Fatalf("Unexpected min TLS version for default client TLS config: ", clientDefault.MinVersion)
}
}
}

// If a valid minimum version is specified in the options, the server's
// minimum version should be set accordingly
func TestConfigServerTLSMinVersionIsSetBasedOnOptions(t *testing.T) {
Expand Down