internal: ignore insecure TLS certs (#5483)

* servers: ignore insecure TLS certs

* slight refactor to have a single place for tls config

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>

internal/outpost/ldap/ldap_tls.go

@@ -6,6 +6,7 @@ import (
 
 	"github.com/pires/go-proxyproto"
 	"goauthentik.io/internal/config"
+	"goauthentik.io/internal/utils"
 )
 
 func (ls *LDAPServer) getCertificates(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
@@ -38,11 +39,8 @@ func (ls *LDAPServer) getCertificates(info *tls.ClientHelloInfo) (*tls.Certifica
 
 func (ls *LDAPServer) StartLDAPTLSServer() error {
 	listen := config.Get().Listen.LDAPS
-	tlsConfig := &tls.Config{
-		MinVersion:     tls.VersionTLS12,
-		MaxVersion:     tls.VersionTLS12,
-		GetCertificate: ls.getCertificates,
-	}
+	tlsConfig := utils.GetTLSConfig()
+	tlsConfig.GetCertificate = ls.getCertificates
 
 	ln, err := net.Listen("tcp", listen)
 	if err != nil {

internal/outpost/proxyv2/proxyv2.go

@@ -18,6 +18,7 @@ import (
 	"goauthentik.io/internal/outpost/ak"
 	"goauthentik.io/internal/outpost/proxyv2/application"
 	"goauthentik.io/internal/outpost/proxyv2/metrics"
+	"goauthentik.io/internal/utils"
 	sentryutils "goauthentik.io/internal/utils/sentry"
 	"goauthentik.io/internal/utils/web"
 )
@@ -129,11 +130,8 @@ func (ps *ProxyServer) ServeHTTP() {
 // ServeHTTPS constructs a net.Listener and starts handling HTTPS requests
 func (ps *ProxyServer) ServeHTTPS() {
 	listenAddress := config.Get().Listen.HTTPS
-	config := &tls.Config{
-		MinVersion:     tls.VersionTLS12,
-		MaxVersion:     tls.VersionTLS12,
-		GetCertificate: ps.getCertificates,
-	}
+	tlsConfig := utils.GetTLSConfig()
+	tlsConfig.GetCertificate = ps.getCertificates
 
 	ln, err := net.Listen("tcp", listenAddress)
 	if err != nil {
@@ -143,7 +141,7 @@ func (ps *ProxyServer) ServeHTTPS() {
 	proxyListener := &proxyproto.Listener{Listener: web.TCPKeepAliveListener{TCPListener: ln.(*net.TCPListener)}}
 	defer proxyListener.Close()
 
-	tlsListener := tls.NewListener(proxyListener, config)
+	tlsListener := tls.NewListener(proxyListener, tlsConfig)
 	ps.log.WithField("listen", listenAddress).Info("Starting HTTPS server")
 	ps.serve(tlsListener)
 	ps.log.WithField("listen", listenAddress).Info("Stopping HTTPS server")

internal/utils/tls.go

@@ -0,0 +1,26 @@
+package utils
+
+import "crypto/tls"
+
+func GetTLSConfig() *tls.Config {
+	tlsConfig := &tls.Config{
+		MinVersion: tls.VersionTLS12,
+		MaxVersion: tls.VersionTLS12,
+	}
+
+	// Insecure SWEET32 attack ciphers, TLS config uses a fallback
+	insecureCiphersIds := []uint16{
+		tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+		tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+	}
+	defaultSecureCiphers := []uint16{}
+	for _, cs := range tls.CipherSuites() {
+		for _, icsId := range insecureCiphersIds {
+			if cs.ID != icsId {
+				defaultSecureCiphers = append(defaultSecureCiphers, cs.ID)
+			}
+		}
+	}
+	tlsConfig.CipherSuites = defaultSecureCiphers
+	return tlsConfig
+}

internal/web/tls.go

@@ -7,6 +7,7 @@ import (
 	"github.com/pires/go-proxyproto"
 	"goauthentik.io/internal/config"
 	"goauthentik.io/internal/crypto"
+	"goauthentik.io/internal/utils"
 	"goauthentik.io/internal/utils/web"
 )
 
@@ -35,11 +36,8 @@ func (ws *WebServer) GetCertificate() func(ch *tls.ClientHelloInfo) (*tls.Certif
 
 // ServeHTTPS constructs a net.Listener and starts handling HTTPS requests
 func (ws *WebServer) listenTLS() {
-	tlsConfig := &tls.Config{
-		MinVersion:     tls.VersionTLS12,
-		MaxVersion:     tls.VersionTLS12,
-		GetCertificate: ws.GetCertificate(),
-	}
+	tlsConfig := utils.GetTLSConfig()
+	tlsConfig.GetCertificate = ws.GetCertificate()
 
 	ln, err := net.Listen("tcp", config.Get().Listen.HTTPS)
 	if err != nil {