forked from influxdata/telegraf
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add capability to limit TLS versions and cipher suites (influxdata#6246)
- Loading branch information
Showing
10 changed files
with
286 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
# TLS settings | ||
|
||
TLS for output plugin will be used if you provide options `tls_cert` and `tls_key`. | ||
Settings that can be used to configure TLS: | ||
|
||
- `tls_cert` - path to certificate. Type: `string`. Ex. `tls_cert = "/etc/ssl/telegraf.crt"` | ||
- `tls_key` - path to key. Type: `string`, Ex. `tls_key = "/etc/ssl/telegraf.key"` | ||
- `tls_allowed_cacerts` - Set one or more allowed client CA certificate file names to enable mutually authenticated TLS connections. Type: `list`. Ex. `tls_allowed_cacerts = ["/etc/telegraf/clientca.pem"]` | ||
- `tls_cipher_suites`- Define list of ciphers that will be supported. If wasn't defined default will be used. Type: `list`. Ex. `tls_cipher_suites = ["TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_RSA_WITH_AES_128_GCM_SHA256", "TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_256_CBC_SHA"]` | ||
- `tls_min_version` - Minimum TLS version that is acceptable. If wasn't defined default (TLS 1.0) will be used. Type: `string`. Ex. `tls_min_version = "TLS11"` | ||
- `tls_max_version` - Maximum SSL/TLS version that is acceptable. If not set, then the maximum version supported is used, which is currently TLS 1.2 (for go < 1.12) or TLS 1.3 (for go == 1.12). Ex. `tls_max_version = "TLS12"` | ||
|
||
tls ciphers are supported: | ||
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 | ||
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 | ||
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | ||
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | ||
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | ||
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | ||
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | ||
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | ||
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | ||
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA | ||
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | ||
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA | ||
- TLS_RSA_WITH_AES_128_GCM_SHA256 | ||
- TLS_RSA_WITH_AES_256_GCM_SHA384 | ||
- TLS_RSA_WITH_AES_128_CBC_SHA256 | ||
- TLS_RSA_WITH_AES_128_CBC_SHA | ||
- TLS_RSA_WITH_AES_256_CBC_SHA | ||
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA | ||
- TLS_RSA_WITH_3DES_EDE_CBC_SHA | ||
- TLS_RSA_WITH_RC4_128_SHA | ||
- TLS_ECDHE_RSA_WITH_RC4_128_SHA | ||
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA | ||
- TLS_AES_128_GCM_SHA256 (only if version go1.12 was used for make build) | ||
- TLS_AES_256_GCM_SHA384 (only if version go1.12 was used for make build) | ||
- TLS_CHACHA20_POLY1305_SHA256 (only if version go1.12 was used for make build) | ||
|
||
TLS versions are supported: | ||
- TLS10 | ||
- TLS11 | ||
- TLS12 | ||
- TLS13 (only if version go1.12 was used for make build) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
package tls | ||
|
||
import "crypto/tls" | ||
|
||
var tlsVersionMap = map[string]uint16{ | ||
"TLS10": tls.VersionTLS10, | ||
"TLS11": tls.VersionTLS11, | ||
"TLS12": tls.VersionTLS12, | ||
} | ||
|
||
var tlsCipherMap = map[string]uint16{ | ||
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305": tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, | ||
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305": tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, | ||
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, | ||
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, | ||
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, | ||
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, | ||
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256": tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, | ||
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, | ||
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, | ||
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, | ||
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, | ||
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, | ||
"TLS_RSA_WITH_AES_128_GCM_SHA256": tls.TLS_RSA_WITH_AES_128_GCM_SHA256, | ||
"TLS_RSA_WITH_AES_256_GCM_SHA384": tls.TLS_RSA_WITH_AES_256_GCM_SHA384, | ||
"TLS_RSA_WITH_AES_128_CBC_SHA256": tls.TLS_RSA_WITH_AES_128_CBC_SHA256, | ||
"TLS_RSA_WITH_AES_128_CBC_SHA": tls.TLS_RSA_WITH_AES_128_CBC_SHA, | ||
"TLS_RSA_WITH_AES_256_CBC_SHA": tls.TLS_RSA_WITH_AES_256_CBC_SHA, | ||
"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, | ||
"TLS_RSA_WITH_3DES_EDE_CBC_SHA": tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA, | ||
"TLS_RSA_WITH_RC4_128_SHA": tls.TLS_RSA_WITH_RC4_128_SHA, | ||
"TLS_ECDHE_RSA_WITH_RC4_128_SHA": tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA, | ||
"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA": tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
// +build go1.12 | ||
|
||
package tls | ||
|
||
import "crypto/tls" | ||
|
||
func init() { | ||
tlsVersionMap["TLS13"] = tls.VersionTLS13 | ||
tlsCipherMap["TLS_AES_128_GCM_SHA256"] = tls.TLS_AES_128_GCM_SHA256 | ||
tlsCipherMap["TLS_AES_256_GCM_SHA384"] = tls.TLS_AES_256_GCM_SHA384 | ||
tlsCipherMap["TLS_CHACHA20_POLY1305_SHA256"] = tls.TLS_CHACHA20_POLY1305_SHA256 | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
package tls | ||
|
||
import ( | ||
"fmt" | ||
) | ||
|
||
// ParseCiphers returns a `[]uint16` by received `[]string` key that represents ciphers from crypto/tls. | ||
// If some of ciphers in received list doesn't exists ParseCiphers returns nil with error | ||
func ParseCiphers(ciphers []string) ([]uint16, error) { | ||
suites := []uint16{} | ||
|
||
for _, cipher := range ciphers { | ||
if v, ok := tlsCipherMap[cipher]; ok { | ||
suites = append(suites, v) | ||
} else { | ||
return nil, fmt.Errorf("unsupported cipher %q", cipher) | ||
} | ||
} | ||
|
||
return suites, nil | ||
} | ||
|
||
// ParseTLSVersion returns a `uint16` by received version string key that represents tls version from crypto/tls. | ||
// If version isn't supportes ParseTLSVersion returns 0 with error | ||
func ParseTLSVersion(version string) (uint16, error) { | ||
if v, ok := tlsVersionMap[version]; ok { | ||
return v, nil | ||
} | ||
return 0, fmt.Errorf("unsupported version %q", version) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters