Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(ssl) configurable ssl cipher suites #2555

Merged
merged 1 commit into from
May 25, 2017
Merged

Conversation

p0pr0ck5
Copy link
Contributor

Summary

The increasing ubiquity of TLS in the HTTP ecosystem necessitates that Kong be a good citizen and provide a secure default TLS configuration for users. This commit provides a shorthand config option to define cipher suites based on Mozilla's recommended cipher list, and an optional config to define custom ciphers.

Further optimizations to the default TLS configuration, such as OSCP stapling/verification and non-default Diffie-Hellman params, should be implemented, but these changes are less trivial, and so belong in discrete PRs.

Full changelog

@subnetmarco subnetmarco added this to the 0.10.3 milestone May 24, 2017
@@ -228,6 +229,15 @@ local function check_and_infer(conf)
end
end

if conf.ssl_cipher_suite ~= "custom" then
local ok, err = pcall(function()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This unused ok will fail linting. We prefer:

if not ok then
  error[#errors +1] = err
end

"!EDH-DSS-DES-CBC3-SHA",
"!KRB5-DES-CBC3-SHA",
"!SRP"
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(style: we need trailing commas in several locations in this table)

# Note: See https://wiki.mozilla.org/Security/Server_Side_TLS for detailed
# descriptions of each cipher suite.

#ssl_ciphers = # Define a custom list of TLS ciphers to be
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Defines, as per the convention followed in this configuration file (and the ssl_cipher_suite property).

ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on;
ssl_ciphers ${{SSL_CIPHERS}};
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This either needs to be added to the Admin server as well, or the property should reflect that those values are for the Proxy port only (the former is probably what we are after here).

}

local ciphers = setmetatable(_ciphers, {
__index = function(t, k) error("Undefined cipher suite " .. tostring(k)) end,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

style: this looks like a 4 spaces indent

@@ -0,0 +1,114 @@
local cat = table.concat
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We try to avoid such globals caching when not necessary (cold paths) - this looks like such a case, since this is only to be called by the CLI.

it("defines ssl_ciphers by default", function()
local conf, err = conf_loader(nil, {})
assert.is_nil(err)
assert.matches(":", conf.ssl_ciphers) -- looks kinda like a cipher suite
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

assert.matches(":", conf.ssl_ciphers, nil, true) might be preferable here. Same for other assert.matches in this suite.

assert.matches("Undefined cipher suite foo", errors[1])
end)
it("overrides ssl_ciphers when ssl_cipher_suite is custom", function()
local conf,err = conf_loader(nil, {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

very very minor but missing a space - it's fine

ssl_cipher_suite = "custom",
})
assert.is_nil(err)
assert.equals(ciphers("modern"), conf.ssl_ciphers)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Better to use assert.same() when comparing tables, at any time except rare exceptions.

})
assert.is_nil(err)
assert.equals(ciphers("modern"), conf.ssl_ciphers)
end)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we are missing a test case when the cipher suite is other than the default one - and other than custom?

assert.matches(":", conf.ssl_ciphers) -- looks kinda like a cipher suite
end)
it("errors on invalid ssl_cipher_suite", function()
local conf, _, errors = conf_loader(nil, {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This unused conf failed linting. Better asserting it is nil.

@p0pr0ck5
Copy link
Contributor Author

Eagle-eyed! Re-up'd addressing concerns (and manually linting, I gotta learn to do that beforehand...)

Provide a shorthand config option to define cipher suites based on
Mozilla's recommended cipher list, and an optional config to define
custom ciphers.
@thibaultcha thibaultcha merged commit 0435063 into master May 25, 2017
@thibaultcha thibaultcha deleted the feat/strong_tls branch May 25, 2017 00:44
thibaultcha added a commit to Kong/docs.konghq.com that referenced this pull request May 25, 2017
thibaultcha added a commit to Kong/docs.konghq.com that referenced this pull request May 25, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants