-
Notifications
You must be signed in to change notification settings - Fork 9.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tls: add cipher flag #9216
tls: add cipher flag #9216
Conversation
@dvonthenen Could you help review this? Thanks! |
@gyuho sure thing! |
etcdctl/ctlv2/command/util.go
Outdated
@@ -167,16 +170,24 @@ func getTransport(c *cli.Context) (*http.Transport, error) { | |||
if keyfile == "" { | |||
keyfile = os.Getenv("ETCDCTL_KEY_FILE") | |||
} | |||
if insecureSkipVerify == false { | |||
insecureSkipVerify = os.Getenv("ETCDCTL_INSECURE_SKIP_TLS_VERIFY") != "" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this should be something to the effect of insecureSkipVerify = strings.EqualFold(os.Getenv("ETCDCTL_INSECURE_SKIP_TLS_VERIFY"), "TRUE")
. Anything that doesn't match "true" from the ENV VAR is considered implicitly false.
@ThatsMrTalbot In reference to only working with I did test setting a single arbitrary shared cipher between etcd and etcdctl (in my test case TLS_RSA_WITH_AES_256_GCM_SHA384) and it seemed to work just fine. Just a quick look at OpenSSL latest using the -tls1_2 option, the only mutual ones are (the one with the [ ] is the one you noted works) again this depends on the version you are using:
|
etcdctl/ctlv2/ctl.go
Outdated
cli.GenericFlag{Name: "cipher-suites", | ||
Value: flags.NewStringSliceFlag(tlsutil.AvailableCipherSuites()...), | ||
Usage: "Comma-separated list of cipher suites for the server. " + | ||
"Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). " + |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
suggest enumerating the values in AvailableCipherSuites() rather than referencing godoc
@@ -54,6 +56,12 @@ func Start(apiv string) { | |||
cli.StringFlag{Name: "cert-file", Value: "", Usage: "identify HTTPS client using this SSL certificate file"}, | |||
cli.StringFlag{Name: "key-file", Value: "", Usage: "identify HTTPS client using this SSL key file"}, | |||
cli.StringFlag{Name: "ca-file", Value: "", Usage: "verify certificates of HTTPS-enabled servers using this CA bundle"}, | |||
cli.BoolFlag{Name: "insecure-skip-tls-verify", Usage: "skip server certificate verification"}, | |||
cli.GenericFlag{Name: "cipher-suites", | |||
Value: flags.NewStringSliceFlag(tlsutil.AvailableCipherSuites()...), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
does this mean AvailableCipherSuites() is the default value? I didn't think all available ciphers were included in the default set in go
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is used to validate the provided list, but the default value is still a nil slice (which is what is currently used)
@@ -155,6 +156,8 @@ func getTransport(c *cli.Context) (*http.Transport, error) { | |||
cafile := c.GlobalString("ca-file") | |||
certfile := c.GlobalString("cert-file") | |||
keyfile := c.GlobalString("key-file") | |||
insecureSkipVerify := c.GlobalBool("insecure-skip-tls-verify") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why do we need this in this PR?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
agree, would like this removed
@@ -55,6 +58,12 @@ func Start(apiv string) { | |||
cli.StringFlag{Name: "cert-file", Value: "", Usage: "identify HTTPS client using this SSL certificate file"}, | |||
cli.StringFlag{Name: "key-file", Value: "", Usage: "identify HTTPS client using this SSL key file"}, | |||
cli.StringFlag{Name: "ca-file", Value: "", Usage: "verify certificates of HTTPS-enabled servers using this CA bundle"}, | |||
cli.BoolFlag{Name: "insecure-skip-tls-verify", Usage: "skip server certificate verification"}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do we need this in this PR? or it can be separated to another one?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added it to make local testing easier, can break it out if you want
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yea. please break it out.
@@ -63,6 +65,9 @@ func init() { | |||
rootCmd.PersistentFlags().StringVar(&globalFlags.TLS.CertFile, "cert", "", "identify secure client using this TLS certificate file") | |||
rootCmd.PersistentFlags().StringVar(&globalFlags.TLS.KeyFile, "key", "", "identify secure client using this TLS key file") | |||
rootCmd.PersistentFlags().StringVar(&globalFlags.TLS.CAFile, "cacert", "", "verify certificates of TLS-enabled secure servers using this CA bundle") | |||
rootCmd.PersistentFlags().StringSliceVar(&globalFlags.TLS.CipherSuites, "cipher-suites", nil, "comma-separated list of cipher suites for the server. "+ | |||
"Available cipher suites include "+strings.Join(tlsutil.AvailableCipherSuites(), ",")+". "+ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: join with ", "
so text can wrap
@@ -158,6 +160,8 @@ security flags: | |||
peer TLS using self-generated certificates if --peer-key-file and --peer-cert-file are not provided. | |||
--peer-crl-file '' | |||
path to the peer certificate revocation list file. | |||
--cipher-suites '' | |||
comma-separated list of cipher suites for the server. Available cipher suites include ` + strings.Join(tlsutil.AvailableCipherSuites(), ",") + `. If omitted, the default Go cipher suites will be used. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
", "
|
||
// StringSliceFlag implements the flag.Value and pflag.Value interfaces. | ||
type StringSliceFlag struct { | ||
Values []string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is a confusing name, maybe ValidValues instead?
|
||
// NewStringSliceFlag creates a new string slice flag for which any one of the given | ||
// strings is a valid value, and any other value is an error. | ||
func NewStringSliceFlag(valids ...string) *StringSliceFlag { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
suggest giving separate control over valid values and default value(s), instead of assuming []string{}
return c | ||
} | ||
|
||
func TLSCipherSuites(cipherNames []string) ([]uint16, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
suggest a test like https://github.com/kubernetes/kubernetes/pull/48859/files#diff-4deda4b18dd1fb07896598924e440970R77 to make sure this doesn't drift or lag golang supported ciphers
Default should be empty, and let Go populate the list with prioritized ordering. |
WIP implementation of TLS Cyphers flags (#8320)
This adds a new flag to the client and server specifying what tls cypher suites to enable, if not set then the full set will be available
It currently only seems to work when the TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 cipher suite is provided. If it isn't in the list then I get an error in the etcd logs (see below) and
openssl s_client -connect 127.0.0.1:2379 -tls1_2
refuses to connectError from etcd logs when TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 is not provided:
Any insight would be appreciated