mirror of https://github.com/grpc/grpc-go.git
advancedtls: add CipherSuites to Options (#7269)
This commit is contained in:
Matthew Stevenson
GitHub
parent
a4593c5881
commit
11872f1162
|
|
@ -284,6 +284,10 @@ type Options struct {
|
||||||
// which is currently TLS 1.3. This default may be changed over time
|
// which is currently TLS 1.3. This default may be changed over time
|
||||||
// affecting backwards compatibility.
|
// affecting backwards compatibility.
|
||||||
MaxTLSVersion uint16
|
MaxTLSVersion uint16
|
||||||
|
// CipherSuites is an unordered list of supported TLS 1.0–1.2
|
||||||
|
// ciphersuites. TLS 1.3 ciphersuites are not configurable. If nil, a
|
||||||
|
// safe default list is used.
|
||||||
|
CipherSuites []uint16
|
||||||
// serverNameOverride is for testing only and only relevant on the client
|
// serverNameOverride is for testing only and only relevant on the client
|
||||||
// side. If set to a non-empty string, it will override the virtual host
|
// side. If set to a non-empty string, it will override the virtual host
|
||||||
// name of authority (e.g. :authority header field) in requests and the
|
// name of authority (e.g. :authority header field) in requests and the
|
||||||
|
|
@ -353,6 +357,7 @@ func (o *Options) clientConfig() (*tls.Config, error) {
|
||||||
InsecureSkipVerify: true,
|
InsecureSkipVerify: true,
|
||||||
MinVersion: o.MinTLSVersion,
|
MinVersion: o.MinTLSVersion,
|
||||||
MaxVersion: o.MaxTLSVersion,
|
MaxVersion: o.MaxTLSVersion,
|
||||||
|
CipherSuites: o.CipherSuites,
|
||||||
}
|
}
|
||||||
// Propagate root-certificate-related fields in tls.Config.
|
// Propagate root-certificate-related fields in tls.Config.
|
||||||
switch {
|
switch {
|
||||||
|
|
@ -467,9 +472,10 @@ func (o *Options) serverConfig() (*tls.Config, error) {
|
||||||
o.MaxTLSVersion = tls.VersionTLS13
|
o.MaxTLSVersion = tls.VersionTLS13
|
||||||
}
|
}
|
||||||
config := &tls.Config{
|
config := &tls.Config{
|
||||||
ClientAuth: clientAuth,
|
ClientAuth: clientAuth,
|
||||||
MinVersion: o.MinTLSVersion,
|
MinVersion: o.MinTLSVersion,
|
||||||
MaxVersion: o.MaxTLSVersion,
|
MaxVersion: o.MaxTLSVersion,
|
||||||
|
CipherSuites: o.CipherSuites,
|
||||||
}
|
}
|
||||||
// Propagate root-certificate-related fields in tls.Config.
|
// Propagate root-certificate-related fields in tls.Config.
|
||||||
switch {
|
switch {
|
||||||
|
|
|
||||||
|
|
@ -29,6 +29,7 @@ import (
|
||||||
"os"
|
"os"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
|
"github.com/google/go-cmp/cmp"
|
||||||
lru "github.com/hashicorp/golang-lru"
|
lru "github.com/hashicorp/golang-lru"
|
||||||
"google.golang.org/grpc/credentials"
|
"google.golang.org/grpc/credentials"
|
||||||
"google.golang.org/grpc/credentials/tls/certprovider"
|
"google.golang.org/grpc/credentials/tls/certprovider"
|
||||||
|
|
@ -172,6 +173,7 @@ func (s) TestClientOptionsConfigSuccessCases(t *testing.T) {
|
||||||
RootOptions RootCertificateOptions
|
RootOptions RootCertificateOptions
|
||||||
MinVersion uint16
|
MinVersion uint16
|
||||||
MaxVersion uint16
|
MaxVersion uint16
|
||||||
|
cipherSuites []uint16
|
||||||
}{
|
}{
|
||||||
{
|
{
|
||||||
desc: "Use system default if no fields in RootCertificateOptions is specified",
|
desc: "Use system default if no fields in RootCertificateOptions is specified",
|
||||||
|
|
@ -196,6 +198,15 @@ func (s) TestClientOptionsConfigSuccessCases(t *testing.T) {
|
||||||
RootCACerts: x509.NewCertPool(),
|
RootCACerts: x509.NewCertPool(),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
desc: "Ciphersuite plumbing through client options",
|
||||||
|
cipherSuites: []uint16{
|
||||||
|
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
||||||
|
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
|
||||||
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
||||||
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
|
||||||
|
},
|
||||||
|
},
|
||||||
}
|
}
|
||||||
for _, test := range tests {
|
for _, test := range tests {
|
||||||
test := test
|
test := test
|
||||||
|
|
@ -206,6 +217,7 @@ func (s) TestClientOptionsConfigSuccessCases(t *testing.T) {
|
||||||
RootOptions: test.RootOptions,
|
RootOptions: test.RootOptions,
|
||||||
MinTLSVersion: test.MinVersion,
|
MinTLSVersion: test.MinVersion,
|
||||||
MaxTLSVersion: test.MaxVersion,
|
MaxTLSVersion: test.MaxVersion,
|
||||||
|
CipherSuites: test.cipherSuites,
|
||||||
}
|
}
|
||||||
clientConfig, err := clientOptions.clientConfig()
|
clientConfig, err := clientOptions.clientConfig()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
@ -237,6 +249,9 @@ func (s) TestClientOptionsConfigSuccessCases(t *testing.T) {
|
||||||
t.Fatalf("Default max tls version not set correctly")
|
t.Fatalf("Default max tls version not set correctly")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
if diff := cmp.Diff(clientConfig.CipherSuites, test.cipherSuites); diff != "" {
|
||||||
|
t.Errorf("cipherSuites diff (-want +got):\n%s", diff)
|
||||||
|
}
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -335,6 +350,7 @@ func (s) TestServerOptionsConfigSuccessCases(t *testing.T) {
|
||||||
RootOptions RootCertificateOptions
|
RootOptions RootCertificateOptions
|
||||||
MinVersion uint16
|
MinVersion uint16
|
||||||
MaxVersion uint16
|
MaxVersion uint16
|
||||||
|
cipherSuites []uint16
|
||||||
}{
|
}{
|
||||||
{
|
{
|
||||||
desc: "Use system default if no fields in RootCertificateOptions is specified",
|
desc: "Use system default if no fields in RootCertificateOptions is specified",
|
||||||
|
|
@ -368,6 +384,21 @@ func (s) TestServerOptionsConfigSuccessCases(t *testing.T) {
|
||||||
RootCACerts: x509.NewCertPool(),
|
RootCACerts: x509.NewCertPool(),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
desc: "Ciphersuite plumbing through server options",
|
||||||
|
IdentityOptions: IdentityCertificateOptions{
|
||||||
|
Certificates: []tls.Certificate{},
|
||||||
|
},
|
||||||
|
RootOptions: RootCertificateOptions{
|
||||||
|
RootCACerts: x509.NewCertPool(),
|
||||||
|
},
|
||||||
|
cipherSuites: []uint16{
|
||||||
|
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
||||||
|
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
|
||||||
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
||||||
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
|
||||||
|
},
|
||||||
|
},
|
||||||
}
|
}
|
||||||
for _, test := range tests {
|
for _, test := range tests {
|
||||||
test := test
|
test := test
|
||||||
|
|
@ -379,6 +410,7 @@ func (s) TestServerOptionsConfigSuccessCases(t *testing.T) {
|
||||||
RootOptions: test.RootOptions,
|
RootOptions: test.RootOptions,
|
||||||
MinTLSVersion: test.MinVersion,
|
MinTLSVersion: test.MinVersion,
|
||||||
MaxTLSVersion: test.MaxVersion,
|
MaxTLSVersion: test.MaxVersion,
|
||||||
|
CipherSuites: test.cipherSuites,
|
||||||
}
|
}
|
||||||
serverConfig, err := serverOptions.serverConfig()
|
serverConfig, err := serverOptions.serverConfig()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
@ -392,6 +424,9 @@ func (s) TestServerOptionsConfigSuccessCases(t *testing.T) {
|
||||||
t.Fatalf("Failed to assign system-provided certificates on the server side.")
|
t.Fatalf("Failed to assign system-provided certificates on the server side.")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
if diff := cmp.Diff(serverConfig.CipherSuites, test.cipherSuites); diff != "" {
|
||||||
|
t.Errorf("cipherSuites diff (-want +got):\n%s", diff)
|
||||||
|
}
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue