internal: ignore insecure TLS certs (#5483)
* servers: ignore insecure TLS certs * slight refactor to have a single place for tls config Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
parent
b7b62ba089
commit
ab795e6642
|
@ -6,6 +6,7 @@ import (
|
|||
|
||||
"github.com/pires/go-proxyproto"
|
||||
"goauthentik.io/internal/config"
|
||||
"goauthentik.io/internal/utils"
|
||||
)
|
||||
|
||||
func (ls *LDAPServer) getCertificates(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
||||
|
@ -38,11 +39,8 @@ func (ls *LDAPServer) getCertificates(info *tls.ClientHelloInfo) (*tls.Certifica
|
|||
|
||||
func (ls *LDAPServer) StartLDAPTLSServer() error {
|
||||
listen := config.Get().Listen.LDAPS
|
||||
tlsConfig := &tls.Config{
|
||||
MinVersion: tls.VersionTLS12,
|
||||
MaxVersion: tls.VersionTLS12,
|
||||
GetCertificate: ls.getCertificates,
|
||||
}
|
||||
tlsConfig := utils.GetTLSConfig()
|
||||
tlsConfig.GetCertificate = ls.getCertificates
|
||||
|
||||
ln, err := net.Listen("tcp", listen)
|
||||
if err != nil {
|
||||
|
|
|
@ -18,6 +18,7 @@ import (
|
|||
"goauthentik.io/internal/outpost/ak"
|
||||
"goauthentik.io/internal/outpost/proxyv2/application"
|
||||
"goauthentik.io/internal/outpost/proxyv2/metrics"
|
||||
"goauthentik.io/internal/utils"
|
||||
sentryutils "goauthentik.io/internal/utils/sentry"
|
||||
"goauthentik.io/internal/utils/web"
|
||||
)
|
||||
|
@ -129,11 +130,8 @@ func (ps *ProxyServer) ServeHTTP() {
|
|||
// ServeHTTPS constructs a net.Listener and starts handling HTTPS requests
|
||||
func (ps *ProxyServer) ServeHTTPS() {
|
||||
listenAddress := config.Get().Listen.HTTPS
|
||||
config := &tls.Config{
|
||||
MinVersion: tls.VersionTLS12,
|
||||
MaxVersion: tls.VersionTLS12,
|
||||
GetCertificate: ps.getCertificates,
|
||||
}
|
||||
tlsConfig := utils.GetTLSConfig()
|
||||
tlsConfig.GetCertificate = ps.getCertificates
|
||||
|
||||
ln, err := net.Listen("tcp", listenAddress)
|
||||
if err != nil {
|
||||
|
@ -143,7 +141,7 @@ func (ps *ProxyServer) ServeHTTPS() {
|
|||
proxyListener := &proxyproto.Listener{Listener: web.TCPKeepAliveListener{TCPListener: ln.(*net.TCPListener)}}
|
||||
defer proxyListener.Close()
|
||||
|
||||
tlsListener := tls.NewListener(proxyListener, config)
|
||||
tlsListener := tls.NewListener(proxyListener, tlsConfig)
|
||||
ps.log.WithField("listen", listenAddress).Info("Starting HTTPS server")
|
||||
ps.serve(tlsListener)
|
||||
ps.log.WithField("listen", listenAddress).Info("Stopping HTTPS server")
|
||||
|
|
|
@ -0,0 +1,26 @@
|
|||
package utils
|
||||
|
||||
import "crypto/tls"
|
||||
|
||||
func GetTLSConfig() *tls.Config {
|
||||
tlsConfig := &tls.Config{
|
||||
MinVersion: tls.VersionTLS12,
|
||||
MaxVersion: tls.VersionTLS12,
|
||||
}
|
||||
|
||||
// Insecure SWEET32 attack ciphers, TLS config uses a fallback
|
||||
insecureCiphersIds := []uint16{
|
||||
tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
|
||||
tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
|
||||
}
|
||||
defaultSecureCiphers := []uint16{}
|
||||
for _, cs := range tls.CipherSuites() {
|
||||
for _, icsId := range insecureCiphersIds {
|
||||
if cs.ID != icsId {
|
||||
defaultSecureCiphers = append(defaultSecureCiphers, cs.ID)
|
||||
}
|
||||
}
|
||||
}
|
||||
tlsConfig.CipherSuites = defaultSecureCiphers
|
||||
return tlsConfig
|
||||
}
|
|
@ -7,6 +7,7 @@ import (
|
|||
"github.com/pires/go-proxyproto"
|
||||
"goauthentik.io/internal/config"
|
||||
"goauthentik.io/internal/crypto"
|
||||
"goauthentik.io/internal/utils"
|
||||
"goauthentik.io/internal/utils/web"
|
||||
)
|
||||
|
||||
|
@ -35,11 +36,8 @@ func (ws *WebServer) GetCertificate() func(ch *tls.ClientHelloInfo) (*tls.Certif
|
|||
|
||||
// ServeHTTPS constructs a net.Listener and starts handling HTTPS requests
|
||||
func (ws *WebServer) listenTLS() {
|
||||
tlsConfig := &tls.Config{
|
||||
MinVersion: tls.VersionTLS12,
|
||||
MaxVersion: tls.VersionTLS12,
|
||||
GetCertificate: ws.GetCertificate(),
|
||||
}
|
||||
tlsConfig := utils.GetTLSConfig()
|
||||
tlsConfig.GetCertificate = ws.GetCertificate()
|
||||
|
||||
ln, err := net.Listen("tcp", config.Get().Listen.HTTPS)
|
||||
if err != nil {
|
||||
|
|
Reference in New Issue