Adding min version and cipher suite variables to tls configuration

CHANGELOG.md

@@ -1,5 +1,6 @@
 ## Changelog
 
+* [ENHANCEMENT] Added `-.tls-min-version` and `.tls-cipher-suites` flag. #217
 * [CHANGE] Added new `-consul.cas-retry-delay` flag. It has a default value of `1s`, while previously there was no delay between retries. #178
 * [CHANGE] Flagext: `DayValue` now always uses UTC when parsing or displaying dates. #71
 * [CHANGE] Closer: remove the closer package since it's trivial to just copy/paste. #70

crypto/tls/tls.go

@@ -5,10 +5,12 @@ import (
 	"crypto/x509"
 	"flag"
 	"os"
+	"strings"
 
 	"github.com/pkg/errors"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
+	cliFlags "k8s.io/component-base/cli/flag"
 )
 
 // ClientConfig is the config for client TLS.
@@ -18,6 +20,8 @@ type ClientConfig struct {
 	CAPath             string `yaml:"tls_ca_path" category:"advanced"`
 	ServerName         string `yaml:"tls_server_name" category:"advanced"`
 	InsecureSkipVerify bool   `yaml:"tls_insecure_skip_verify" category:"advanced"`
+	CipherSuites       string `yaml:"tls_cipher_suites" category:"advanced"`
+	MinVersion         string `yaml:"tls_min_version" category:"advanced"`
 }
 
 var (
@@ -32,6 +36,8 @@ func (cfg *ClientConfig) RegisterFlagsWithPrefix(prefix string, f *flag.FlagSet)
 	f.StringVar(&cfg.CAPath, prefix+".tls-ca-path", "", "Path to the CA certificates file to validate server certificate against. If not set, the host's root CA certificates are used.")
 	f.StringVar(&cfg.ServerName, prefix+".tls-server-name", "", "Override the expected name on the server certificate.")
 	f.BoolVar(&cfg.InsecureSkipVerify, prefix+".tls-insecure-skip-verify", false, "Skip validating server certificate.")
+	f.StringVar(&cfg.CipherSuites, prefix+".tls-cipher-suites", "", "Override the default cipher suite list (separated by commas).")
+	f.StringVar(&cfg.MinVersion, prefix+".tls-min-version", "", "Override the default minimum TLS version.")
 }
 
 // GetTLSConfig initialises tls.Config from config options
@@ -69,6 +75,23 @@ func (cfg *ClientConfig) GetTLSConfig() (*tls.Config, error) {
 		config.Certificates = []tls.Certificate{clientCert}
 	}
 
+	if cfg.MinVersion != "" {
+		minVersion, err := cliFlags.TLSVersion(cfg.MinVersion)
+		if err != nil {
+			return nil, errors.Wrapf(err, "failed to set minimum TLS version %s", cfg.MinVersion)
+		}
+		config.MinVersion = minVersion
+	}
+
+	if cfg.CipherSuites != "" {
+		rawCipherSuites := strings.Split(cfg.CipherSuites, ",")
+		cipherSuites, err := cliFlags.TLSCipherSuites(rawCipherSuites)
+		if err != nil {
+			return nil, errors.Wrapf(err, "failed to set cipher suites %s", cfg.CipherSuites)
+		}
+		config.CipherSuites = cipherSuites
+	}
+
 	return config, nil
 }
 

crypto/tls/tls_test.go

@@ -1,6 +1,7 @@
 package tls
 
 import (
+	"crypto/tls"
 	"os"
 	"path/filepath"
 	"testing"
@@ -182,3 +183,22 @@ func TestGetTLSConfig_ServerName(t *testing.T) {
 	assert.NoError(t, err)
 	assert.Equal(t, "myserver.com", tlsConfig.ServerName)
 }
+
+func TestGetTLSConfig_MinVersion(t *testing.T) {
+	c := &ClientConfig{
+		MinVersion: "VersionTLS13",
+	}
+	tlsConfig, err := c.GetTLSConfig()
+	assert.NoError(t, err)
+	assert.Equal(t, uint16(tls.VersionTLS13), tlsConfig.MinVersion)
+}
+
+func TestGetTLSConfig_CipherSuites(t *testing.T) {
+	c := &ClientConfig{
+		CipherSuites: "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+	}
+	tlsConfig, err := c.GetTLSConfig()
+	assert.NoError(t, err)
+	assert.Contains(t, tlsConfig.CipherSuites, tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256)
+	assert.Contains(t, tlsConfig.CipherSuites, tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
+}

go.mod

@@ -30,6 +30,7 @@ require (
 	google.golang.org/grpc v1.38.0
 	gopkg.in/yaml.v2 v2.4.0
 	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b
+	k8s.io/component-base v0.21.4
 )
 
 require (
@@ -42,6 +43,7 @@ require (
 	github.com/felixge/httpsnoop v1.0.1 // indirect
 	github.com/go-kit/kit v0.10.0 // indirect
 	github.com/go-logfmt/logfmt v0.5.1 // indirect
+	github.com/go-logr/logr v0.4.0 // indirect
 	github.com/gogo/googleapis v1.1.0 // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/google/btree v1.0.0 // indirect
@@ -57,7 +59,7 @@ require (
 	github.com/jpillora/backoff v1.0.0 // indirect
 	github.com/mattn/go-colorable v0.1.6 // indirect
 	github.com/mattn/go-isatty v0.0.12 // indirect
-	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
 	github.com/miekg/dns v1.1.26 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/mapstructure v1.1.2 // indirect
@@ -70,7 +72,8 @@ require (
 	github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529 // indirect
 	github.com/sercand/kuberesolver v2.4.0+incompatible // indirect
 	github.com/sirupsen/logrus v1.8.1 // indirect
-	github.com/stretchr/objx v0.1.1 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/stretchr/objx v0.2.0 // indirect
 	github.com/uber/jaeger-client-go v2.28.0+incompatible // indirect
 	github.com/uber/jaeger-lib v2.2.0+incompatible // indirect
 	github.com/weaveworks/promrus v1.2.0 // indirect
@@ -84,6 +87,8 @@ require (
 	google.golang.org/appengine v1.6.6 // indirect
 	google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c // indirect
 	google.golang.org/protobuf v1.28.1 // indirect
+	k8s.io/apimachinery v0.21.4 // indirect
+	k8s.io/klog/v2 v2.8.0 // indirect
 )
 
 replace k8s.io/client-go v12.0.0+incompatible => k8s.io/client-go v0.21.4