internal: ignore insecure TLS certs (#5483)
* servers: ignore insecure TLS certs * slight refactor to have a single place for tls config Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
parent
b7b62ba089
commit
ab795e6642
|
@ -6,6 +6,7 @@ import (
|
||||||
|
|
||||||
"github.com/pires/go-proxyproto"
|
"github.com/pires/go-proxyproto"
|
||||||
"goauthentik.io/internal/config"
|
"goauthentik.io/internal/config"
|
||||||
|
"goauthentik.io/internal/utils"
|
||||||
)
|
)
|
||||||
|
|
||||||
func (ls *LDAPServer) getCertificates(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
func (ls *LDAPServer) getCertificates(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
||||||
|
@ -38,11 +39,8 @@ func (ls *LDAPServer) getCertificates(info *tls.ClientHelloInfo) (*tls.Certifica
|
||||||
|
|
||||||
func (ls *LDAPServer) StartLDAPTLSServer() error {
|
func (ls *LDAPServer) StartLDAPTLSServer() error {
|
||||||
listen := config.Get().Listen.LDAPS
|
listen := config.Get().Listen.LDAPS
|
||||||
tlsConfig := &tls.Config{
|
tlsConfig := utils.GetTLSConfig()
|
||||||
MinVersion: tls.VersionTLS12,
|
tlsConfig.GetCertificate = ls.getCertificates
|
||||||
MaxVersion: tls.VersionTLS12,
|
|
||||||
GetCertificate: ls.getCertificates,
|
|
||||||
}
|
|
||||||
|
|
||||||
ln, err := net.Listen("tcp", listen)
|
ln, err := net.Listen("tcp", listen)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
|
@ -18,6 +18,7 @@ import (
|
||||||
"goauthentik.io/internal/outpost/ak"
|
"goauthentik.io/internal/outpost/ak"
|
||||||
"goauthentik.io/internal/outpost/proxyv2/application"
|
"goauthentik.io/internal/outpost/proxyv2/application"
|
||||||
"goauthentik.io/internal/outpost/proxyv2/metrics"
|
"goauthentik.io/internal/outpost/proxyv2/metrics"
|
||||||
|
"goauthentik.io/internal/utils"
|
||||||
sentryutils "goauthentik.io/internal/utils/sentry"
|
sentryutils "goauthentik.io/internal/utils/sentry"
|
||||||
"goauthentik.io/internal/utils/web"
|
"goauthentik.io/internal/utils/web"
|
||||||
)
|
)
|
||||||
|
@ -129,11 +130,8 @@ func (ps *ProxyServer) ServeHTTP() {
|
||||||
// ServeHTTPS constructs a net.Listener and starts handling HTTPS requests
|
// ServeHTTPS constructs a net.Listener and starts handling HTTPS requests
|
||||||
func (ps *ProxyServer) ServeHTTPS() {
|
func (ps *ProxyServer) ServeHTTPS() {
|
||||||
listenAddress := config.Get().Listen.HTTPS
|
listenAddress := config.Get().Listen.HTTPS
|
||||||
config := &tls.Config{
|
tlsConfig := utils.GetTLSConfig()
|
||||||
MinVersion: tls.VersionTLS12,
|
tlsConfig.GetCertificate = ps.getCertificates
|
||||||
MaxVersion: tls.VersionTLS12,
|
|
||||||
GetCertificate: ps.getCertificates,
|
|
||||||
}
|
|
||||||
|
|
||||||
ln, err := net.Listen("tcp", listenAddress)
|
ln, err := net.Listen("tcp", listenAddress)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -143,7 +141,7 @@ func (ps *ProxyServer) ServeHTTPS() {
|
||||||
proxyListener := &proxyproto.Listener{Listener: web.TCPKeepAliveListener{TCPListener: ln.(*net.TCPListener)}}
|
proxyListener := &proxyproto.Listener{Listener: web.TCPKeepAliveListener{TCPListener: ln.(*net.TCPListener)}}
|
||||||
defer proxyListener.Close()
|
defer proxyListener.Close()
|
||||||
|
|
||||||
tlsListener := tls.NewListener(proxyListener, config)
|
tlsListener := tls.NewListener(proxyListener, tlsConfig)
|
||||||
ps.log.WithField("listen", listenAddress).Info("Starting HTTPS server")
|
ps.log.WithField("listen", listenAddress).Info("Starting HTTPS server")
|
||||||
ps.serve(tlsListener)
|
ps.serve(tlsListener)
|
||||||
ps.log.WithField("listen", listenAddress).Info("Stopping HTTPS server")
|
ps.log.WithField("listen", listenAddress).Info("Stopping HTTPS server")
|
||||||
|
|
|
@ -0,0 +1,26 @@
|
||||||
|
package utils
|
||||||
|
|
||||||
|
import "crypto/tls"
|
||||||
|
|
||||||
|
func GetTLSConfig() *tls.Config {
|
||||||
|
tlsConfig := &tls.Config{
|
||||||
|
MinVersion: tls.VersionTLS12,
|
||||||
|
MaxVersion: tls.VersionTLS12,
|
||||||
|
}
|
||||||
|
|
||||||
|
// Insecure SWEET32 attack ciphers, TLS config uses a fallback
|
||||||
|
insecureCiphersIds := []uint16{
|
||||||
|
tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
|
||||||
|
tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
|
||||||
|
}
|
||||||
|
defaultSecureCiphers := []uint16{}
|
||||||
|
for _, cs := range tls.CipherSuites() {
|
||||||
|
for _, icsId := range insecureCiphersIds {
|
||||||
|
if cs.ID != icsId {
|
||||||
|
defaultSecureCiphers = append(defaultSecureCiphers, cs.ID)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
tlsConfig.CipherSuites = defaultSecureCiphers
|
||||||
|
return tlsConfig
|
||||||
|
}
|
|
@ -7,6 +7,7 @@ import (
|
||||||
"github.com/pires/go-proxyproto"
|
"github.com/pires/go-proxyproto"
|
||||||
"goauthentik.io/internal/config"
|
"goauthentik.io/internal/config"
|
||||||
"goauthentik.io/internal/crypto"
|
"goauthentik.io/internal/crypto"
|
||||||
|
"goauthentik.io/internal/utils"
|
||||||
"goauthentik.io/internal/utils/web"
|
"goauthentik.io/internal/utils/web"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -35,11 +36,8 @@ func (ws *WebServer) GetCertificate() func(ch *tls.ClientHelloInfo) (*tls.Certif
|
||||||
|
|
||||||
// ServeHTTPS constructs a net.Listener and starts handling HTTPS requests
|
// ServeHTTPS constructs a net.Listener and starts handling HTTPS requests
|
||||||
func (ws *WebServer) listenTLS() {
|
func (ws *WebServer) listenTLS() {
|
||||||
tlsConfig := &tls.Config{
|
tlsConfig := utils.GetTLSConfig()
|
||||||
MinVersion: tls.VersionTLS12,
|
tlsConfig.GetCertificate = ws.GetCertificate()
|
||||||
MaxVersion: tls.VersionTLS12,
|
|
||||||
GetCertificate: ws.GetCertificate(),
|
|
||||||
}
|
|
||||||
|
|
||||||
ln, err := net.Listen("tcp", config.Get().Listen.HTTPS)
|
ln, err := net.Listen("tcp", config.Get().Listen.HTTPS)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
Reference in New Issue