add tls configuration
Jeff Wendling
parent
3e12599a44
commit
903bd6c14a
|
|
@ -62,6 +62,9 @@ type Config struct {
|
|||
|
||||
// BindAddress is the address that all TCP services use (Raft, Snapshot, Cluster, etc.)
|
||||
BindAddress string `toml:"bind-address"`
|
||||
|
||||
// TLS provides configuration options for all https endpoints.
|
||||
TLS TLSConfig `toml:"tls"`
|
||||
}
|
||||
|
||||
// NewConfig returns an instance of Config with reasonable defaults.
|
||||
|
|
|
|||
|
|
@ -64,6 +64,9 @@ enabled = true
|
|||
|
||||
[continuous_queries]
|
||||
enabled = true
|
||||
|
||||
[tls]
|
||||
ciphers = ["cipher"]
|
||||
`); err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
|
@ -97,6 +100,8 @@ enabled = true
|
|||
t.Fatalf("unexpected subscriber enabled: %v", c.Subscriber.Enabled)
|
||||
} else if !c.ContinuousQuery.Enabled {
|
||||
t.Fatalf("unexpected continuous query enabled: %v", c.ContinuousQuery.Enabled)
|
||||
} else if c.TLS.Ciphers[0] != "cipher" {
|
||||
t.Fatalf("unexpected tls: %q", c.TLS.Ciphers)
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -150,6 +155,9 @@ enabled = true
|
|||
|
||||
[continuous_queries]
|
||||
enabled = true
|
||||
|
||||
[tls]
|
||||
min-version = "tls1.0"
|
||||
`, &c); err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
|
@ -179,6 +187,8 @@ enabled = true
|
|||
case "INFLUXDB_COORDINATOR_QUERY_TIMEOUT":
|
||||
// duration type
|
||||
return "1m"
|
||||
case "INFLUXDB_TLS_MIN_VERSION":
|
||||
return "tls1.2"
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
|
@ -226,6 +236,10 @@ enabled = true
|
|||
if c.Coordinator.QueryTimeout != influxtoml.Duration(time.Minute) {
|
||||
t.Fatalf("unexpected query timeout: %v", c.Coordinator.QueryTimeout)
|
||||
}
|
||||
|
||||
if c.TLS.MinVersion != "tls1.2" {
|
||||
t.Fatalf("unexpected tls min version: %q", c.TLS.MinVersion)
|
||||
}
|
||||
}
|
||||
|
||||
func TestConfig_ValidateNoServiceConfigured(t *testing.T) {
|
||||
|
|
|
|||
|
|
@ -0,0 +1,87 @@
|
|||
package run
|
||||
|
||||
import (
|
||||
"crypto/tls"
|
||||
"fmt"
|
||||
"strings"
|
||||
)
|
||||
|
||||
type TLSConfig struct {
|
||||
Ciphers []string `toml:"ciphers"`
|
||||
MinVersion string `toml:"min-version"`
|
||||
MaxVersion string `toml:"max-version"`
|
||||
}
|
||||
|
||||
func ParseTLSConfig(config TLSConfig) (*tls.Config, error) {
|
||||
out := new(tls.Config)
|
||||
|
||||
if len(config.Ciphers) > 0 {
|
||||
for _, name := range config.Ciphers {
|
||||
cipher, ok := ciphersMap[strings.ToUpper(name)]
|
||||
if !ok {
|
||||
return nil, unknownCipher(name)
|
||||
}
|
||||
out.CipherSuites = append(out.CipherSuites, cipher)
|
||||
}
|
||||
}
|
||||
|
||||
if config.MinVersion != "" {
|
||||
version, ok := versionsMap[strings.ToUpper(config.MinVersion)]
|
||||
if !ok {
|
||||
return nil, unknownVersion(config.MinVersion)
|
||||
}
|
||||
out.MinVersion = version
|
||||
}
|
||||
|
||||
if config.MaxVersion != "" {
|
||||
version, ok := versionsMap[strings.ToUpper(config.MaxVersion)]
|
||||
if !ok {
|
||||
return nil, unknownVersion(config.MaxVersion)
|
||||
}
|
||||
out.MaxVersion = version
|
||||
}
|
||||
|
||||
return out, nil
|
||||
}
|
||||
|
||||
var ciphersMap = map[string]uint16{
|
||||
"TLS_RSA_WITH_RC4_128_SHA": tls.TLS_RSA_WITH_RC4_128_SHA,
|
||||
"TLS_RSA_WITH_3DES_EDE_CBC_SHA": tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
|
||||
"TLS_RSA_WITH_AES_128_CBC_SHA": tls.TLS_RSA_WITH_AES_128_CBC_SHA,
|
||||
"TLS_RSA_WITH_AES_256_CBC_SHA": tls.TLS_RSA_WITH_AES_256_CBC_SHA,
|
||||
"TLS_RSA_WITH_AES_128_CBC_SHA256": tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
|
||||
"TLS_RSA_WITH_AES_128_GCM_SHA256": tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
|
||||
"TLS_RSA_WITH_AES_256_GCM_SHA384": tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
|
||||
"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA": tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
|
||||
"TLS_ECDHE_RSA_WITH_RC4_128_SHA": tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA,
|
||||
"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
|
||||
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
|
||||
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
|
||||
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256": tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
|
||||
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
||||
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
||||
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305": tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
|
||||
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305": tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
|
||||
}
|
||||
|
||||
func unknownCipher(name string) error {
|
||||
// TODO(jeff): list available?
|
||||
return fmt.Errorf("unknown cipher suite: %q", name)
|
||||
}
|
||||
|
||||
var versionsMap = map[string]uint16{
|
||||
"SSL3.0": tls.VersionSSL30,
|
||||
"TLS1.0": tls.VersionTLS10,
|
||||
"TLS1.1": tls.VersionTLS11,
|
||||
"TLS1.2": tls.VersionTLS12,
|
||||
}
|
||||
|
||||
func unknownVersion(name string) error {
|
||||
// TODO(jeff): list available?
|
||||
return fmt.Errorf("unknown tls version: %q", name)
|
||||
}
|
||||
Loading…
Reference in New Issue