limit tls cipher selection

tkatila · tkatila · commit a5ca5f8aa33c · 2024-08-14T15:56:21.000+03:00
Signed-off-by: Tuomas Katila &lt;tuomas.katila@intel.com&gt;
diff --git a/cmd/fpga_admissionwebhook/main.go b/cmd/fpga_admissionwebhook/main.go
@@ -55,7 +55,15 @@ func main() {
 	ctrl.SetLogger(textlogger.NewLogger(tlConf))
 
 	tlsCfgFunc := func(cfg *tls.Config) {
-		cfg.MinVersion = tls.VersionTLS13
+		// fix TLS version to 1.2 as 1.3 doesn't allow cipher selection
+		cfg.MinVersion = tls.VersionTLS12
+		cfg.MaxVersion = tls.VersionTLS12
+		cfg.CipherSuites = []uint16{
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+		}
 	}
 
 	webhookOptions := webhook.Options{
diff --git a/cmd/operator/main.go b/cmd/operator/main.go
@@ -135,7 +135,14 @@ func main() {
 	}
 
 	tlsCfgFunc := func(cfg *tls.Config) {
-		cfg.MinVersion = tls.VersionTLS13
+		cfg.MinVersion = tls.VersionTLS12
+		cfg.MaxVersion = tls.VersionTLS12
+		cfg.CipherSuites = []uint16{
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+		}
 	}
 
 	webhookOptions := webhook.Options{
diff --git a/cmd/sgx_admissionwebhook/main.go b/cmd/sgx_admissionwebhook/main.go
@@ -37,7 +37,15 @@ func main() {
 	ctrl.SetLogger(textlogger.NewLogger(tlConf))
 
 	tlsCfgFunc := func(cfg *tls.Config) {
-		cfg.MinVersion = tls.VersionTLS13
+		// fix TLS version to 1.2 as 1.3 doesn't allow cipher selection
+		cfg.MinVersion = tls.VersionTLS12
+		cfg.MaxVersion = tls.VersionTLS12
+		cfg.CipherSuites = []uint16{
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+		}
 	}
 
 	webhookOptions := webhook.Options{
diff --git a/deployments/operator/default/manager_auth_proxy_patch.yaml b/deployments/operator/default/manager_auth_proxy_patch.yaml
@@ -15,7 +15,7 @@ spec:
         - "--secure-listen-address=0.0.0.0:8443"
         - "--upstream=http://127.0.0.1:8080/"
         - "--logtostderr=true"
-        - "--tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"
+        - "--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"
         - "--v=10"
         ports:
         - containerPort: 8443

Original file line number	Diff line number	Diff line change
`@@ -135,7 +135,14 @@ func main() {`
`135`	`135`	`}`
`136`	`136`
`137`	`137`	`tlsCfgFunc := func(cfg *tls.Config) {`
`138`		`- cfg.MinVersion = tls.VersionTLS13`
	`138`	`+ cfg.MinVersion = tls.VersionTLS12`
	`139`	`+ cfg.MaxVersion = tls.VersionTLS12`
	`140`	`+ cfg.CipherSuites = []uint16{`
	`141`	`+ tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,`
	`142`	`+ tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,`
	`143`	`+ tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,`
	`144`	`+ tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,`
	`145`	`+ }`
`139`	`146`	`}`
`140`	`147`
`141`	`148`	`webhookOptions := webhook.Options{`