Merge pull request #144 from NikitaSkrynnik/tls12

Set minumum TLS version to 1.2
networkservicemesh · May 29, 2022 · db5cf5c · db5cf5c
2 parents 4a27ecb + 6a79cba
commit db5cf5c
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 7 deletions.
diff --git a/.golangci.yml b/.golangci.yml
@@ -35,7 +35,7 @@ linters-settings:
   dupl:
     threshold: 150
   funlen:
-    Lines: 110
+    Lines: 115
     Statements: 60
   goconst:
     min-len: 2

diff --git a/main.go b/main.go
@@ -24,6 +24,7 @@ package main
 import (
 	"context"
 	"crypto/md5"
+	"crypto/tls"
 	"fmt"
 	"io"
 	"io/ioutil"
@@ -156,13 +157,13 @@ func getParentIfname(nseName string) string {
 	return nif[:kernelmech.LinuxIfMaxLength]
 }
 
-func registerGRPCServer(source *workloadapi.X509Source, responderEndpoint *endpoint.Endpoint) *grpc.Server {
+func registerGRPCServer(tlsServerConfig *tls.Config, responderEndpoint *endpoint.Endpoint) *grpc.Server {
 	options := append(
 		tracing.WithTracing(),
 		grpc.Creds(
 			grpcfd.TransportCredentials(
 				credentials.NewTLS(
-					tlsconfig.MTLSServerConfig(source, source, tlsconfig.AuthorizeAny()),
+					tlsServerConfig,
 				),
 			),
 		),
@@ -173,15 +174,15 @@ func registerGRPCServer(source *workloadapi.X509Source, responderEndpoint *endpo
 	return server
 }
 
-func registerEndpoint(ctx context.Context, config *Config, source *workloadapi.X509Source, urlStr string) error {
+func registerEndpoint(ctx context.Context, config *Config, tlsClientConfig *tls.Config, urlStr string) error {
 	clientOptions := append(
 		tracing.WithTracingDial(),
 		grpc.WithBlock(),
 		grpc.WithDefaultCallOptions(grpc.WaitForReady(true)),
 		grpc.WithTransportCredentials(
 			grpcfd.TransportCredentials(
 				credentials.NewTLS(
-					tlsconfig.MTLSClientConfig(source, source, tlsconfig.AuthorizeAny()),
+					tlsClientConfig,
 				),
 			),
 		),
@@ -305,6 +306,11 @@ func main() {
 		logrus.Fatalf("error getting x509 svid: %+v", err)
 	}
 
+	tlsClientConfig := tlsconfig.MTLSClientConfig(source, source, tlsconfig.AuthorizeAny())
+	tlsClientConfig.MinVersion = tls.VersionTLS12
+	tlsServerConfig := tlsconfig.MTLSServerConfig(source, source, tlsconfig.AuthorizeAny())
+	tlsServerConfig.MinVersion = tls.VersionTLS12
+
 	// ********************************************************************************
 	log.FromContext(ctx).Infof("executing phase 4: creating vlan-vpp-responder ipam")
 	// ********************************************************************************
@@ -321,7 +327,7 @@ func main() {
 	log.FromContext(ctx).Infof("executing phase 6: create grpc server and register vlan-vpp-responder")
 	// ********************************************************************************
 
-	server := registerGRPCServer(source, &responderEndpoint)
+	server := registerGRPCServer(tlsServerConfig, &responderEndpoint)
 	tmpDir, err := ioutil.TempDir("", config.Name)
 	if err != nil {
 		logrus.Fatalf("error creating tmpDir %+v", err)
@@ -335,7 +341,7 @@ func main() {
 	// ********************************************************************************
 	log.FromContext(ctx).Infof("executing phase 7: register nse with nsm")
 	// ********************************************************************************
-	err = registerEndpoint(ctx, config, source, listenOn.String())
+	err = registerEndpoint(ctx, config, tlsClientConfig, listenOn.String())
 	if err != nil {
 		log.FromContext(ctx).Fatalf("failed to connect to registry: %+v", err)
 	}