node: Purge grpc.tls.use_insecure_crypto config

Insecure cipher suites must never be allowed. Refs #2755. Signed-off-by: Leonard Lyubich <[email protected]>
nspcc-dev · Mar 5, 2024 · de1316f · de1316f
1 parent 9dddf73
commit de1316f
Show file tree

Hide file tree

Showing 7 changed files with 15 additions and 26 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -22,6 +22,7 @@ Changelog for NeoFS Node
 ### Removed
 - Object notifications incl. NATS (#2750)
 - Supporting of `__NEOFS__NETMAP*` X-headers (#2751)
+- Option to use insecure TLS cipher suites (#2755)
 
 ### Updated
 - Minimum required version of Go to 1.20
@@ -40,6 +41,8 @@ migration utility. Blobovniczas were removed from the node since 0.39.0, so
 if you're using any current NeoFS node version it's not a problem. If you're
 using 0.38.0 or lower with blobovniczas configured, please migrate ASAP.
 
+Remove `grpc.tls.use_insecure_crypto` from any storage node configuration.
+
 ## [0.40.1] - 2024-02-22
 
 ### Fixed

diff --git a/cmd/neofs-node/config/grpc/config.go b/cmd/neofs-node/config/grpc/config.go
@@ -78,11 +78,6 @@ func (tls TLSConfig) CertificateFile() string {
 	return v
 }
 
-// UseInsecureCrypto returns true if TLS 1.2 cipher suite should not be restricted.
-func (tls TLSConfig) UseInsecureCrypto() bool {
-	return config.BoolSafe(tls.cfg, "use_insecure_crypto")
-}
-
 // IterateEndpoints iterates over subsections of "grpc" section of c,
 // wrap them into Config and passes to f.
 //

diff --git a/cmd/neofs-node/config/grpc/config_test.go b/cmd/neofs-node/config/grpc/config_test.go
@@ -34,14 +34,12 @@ func TestGRPCSection(t *testing.T) {
 				require.NotNil(t, tls)
 				require.Equal(t, "/path/to/cert", tls.CertificateFile())
 				require.Equal(t, "/path/to/key", tls.KeyFile())
-				require.False(t, tls.UseInsecureCrypto())
 			case 1:
 				require.Equal(t, "s02.neofs.devenv:8080", sc.Endpoint())
 				require.Nil(t, tls)
 			case 2:
 				require.Equal(t, "s03.neofs.devenv:8080", sc.Endpoint())
 				require.NotNil(t, tls)
-				require.True(t, tls.UseInsecureCrypto())
 			}
 		})
 	}

diff --git a/cmd/neofs-node/grpc.go b/cmd/neofs-node/grpc.go
@@ -29,20 +29,17 @@ func initGRPC(c *cfg) {
 				return
 			}
 
-			var cipherSuites []uint16
-			if !tlsCfg.UseInsecureCrypto() {
-				// This more or less follows the list in https://wiki.mozilla.org/Security/Server_Side_TLS
-				// excluding:
-				// 1. TLS 1.3 suites need not be specified here.
-				// 2. Suites that use DH key exchange are not implemented by stdlib.
-				cipherSuites = []uint16{
-					tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-					tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-					tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-					tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-					tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
-					tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
-				}
+			// This more or less follows the list in https://wiki.mozilla.org/Security/Server_Side_TLS
+			// excluding:
+			// 1. TLS 1.3 suites need not be specified here.
+			// 2. Suites that use DH key exchange are not implemented by stdlib.
+			cipherSuites := []uint16{
+				tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+				tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+				tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+				tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+				tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+				tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
 			}
 			creds := credentials.NewTLS(&tls.Config{
 				CipherSuites: cipherSuites,

diff --git a/config/example/node.json b/config/example/node.json
@@ -54,8 +54,7 @@
     "2": {
       "endpoint": "s03.neofs.devenv:8080",
       "tls": {
-        "enabled": true,
-        "use_insecure_crypto": true
+        "enabled": true
       }
     }
   },

diff --git a/config/example/node.yaml b/config/example/node.yaml
@@ -47,7 +47,6 @@ grpc:
   - endpoint: s03.neofs.devenv:8080
     tls:
       enabled: true
-      use_insecure_crypto: true # allow using insecure ciphers with TLS 1.2
 
 tree:
   enabled: true

diff --git a/docs/storage-node-configuration.md b/docs/storage-node-configuration.md
@@ -52,7 +52,6 @@ grpc:
   - endpoint: external.ip:8080
     tls:
       enabled: true
-      use_insecure_crypto: true
 ```
 Contains an array of gRPC endpoint configurations. The following table describes the format of each
 element.
@@ -69,7 +68,6 @@ element.
 | `enabled`             | `bool`   | `false`       | Address that control service listener binds to.                           |
 | `certificate`         | `string` |               | Path to the TLS certificate.                                              |
 | `key`                 | `string` |               | Path to the key.                                                          |
-| `use_insecure_crypto` | `bool`   | `false`       | If true, ciphers considered insecure by Go stdlib are allowed to be used. |
 
 # `pprof` section