[configtls] support setting cipher suites

open-telemetry · Jan 17, 2024 · b36d129 · b36d129
1 parent 65da174
commit b36d129
Show file tree

Hide file tree

Showing 4 changed files with 109 additions and 0 deletions.
diff --git a/.chloggen/cipher_suites.yaml b/.chloggen/cipher_suites.yaml
@@ -0,0 +1,26 @@
+# Use this changelog template to create an entry for release notes.
+
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+
+# The name of the component, or a single word describing the area of concern, (e.g. otlpreceiver)
+component: configtls
+
+# A brief description of the change.  Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: add `cipher_suites` to configtls.
+
+# One or more tracking issues or pull requests related to the change
+issues: [8105]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext: |
+  Users can specify a list of cipher suites to pick from. If left blank, a safe default list is used.
+
+# Optional: The change log or logs in which this entry should be included.
+# e.g. '[user]' or '[user, api]'
+# Include 'user' if the change is relevant to end users.
+# Include 'api' if there is a change to a library API.
+# Default: '[user]'
+change_logs: []
diff --git a/config/configtls/README.md b/config/configtls/README.md
@@ -48,6 +48,17 @@ __IMPORTANT__: TLS 1.0 and 1.1 are deprecated due to known vulnerabilities and s
 - `max_version` (default = "" handled by [crypto/tls](https://github.com/golang/go/blob/ed9db1d36ad6ef61095d5941ad9ee6da7ab6d05a/src/crypto/tls/common.go#L700) - currently TLS 1.3): Maximum acceptable TLS version.
   - options: ["1.0", "1.1", "1.2", "1.3"]
 
+Explicit cipher suites can be set. If left blank, a safe default list is used. See https://go.dev/src/crypto/tls/cipher_suites.go for a list of supported cipher suites.
+- `cipher_suites`: (default = []): List of cipher suites to use.
+
+Example:
+```
+  cipher_suites:
+    - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+    - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+```
+
 Additionally certificates may be reloaded by setting the below configuration.
 
 - `reload_interval` (optional) : ReloadInterval specifies the duration after which the certificate will be reloaded.

diff --git a/config/configtls/configtls.go b/config/configtls/configtls.go
@@ -54,6 +54,11 @@ type TLSSetting struct {
 	// If not set, refer to crypto/tls for defaults. (optional)
 	MaxVersion string `mapstructure:"max_version"`
 
+	// CipherSuites is a list of TLS cipher suites that the TLS transport can use.
+	// If left blank, a safe default list is used.
+	// See https://go.dev/src/crypto/tls/cipher_suites.go for a list of supported cipher suites.
+	CipherSuites []string `mapstructure:"cipher_suites"`
+
 	// ReloadInterval specifies the duration after which the certificate will be reloaded
 	// If not set, it will never be reloaded (optional)
 	ReloadInterval time.Duration `mapstructure:"reload_interval"`
@@ -175,16 +180,39 @@ func (c TLSSetting) loadTLSConfig() (*tls.Config, error) {
 	if err != nil {
 		return nil, fmt.Errorf("invalid TLS max_version: %w", err)
 	}
+	cipherSuites, err := convertCipherSuites(c.CipherSuites)
+	if err != nil {
+		return nil, err
+	}
 
 	return &tls.Config{
 		RootCAs:              certPool,
 		GetCertificate:       getCertificate,
 		GetClientCertificate: getClientCertificate,
 		MinVersion:           minTLS,
 		MaxVersion:           maxTLS,
+		CipherSuites:         cipherSuites,
 	}, nil
 }
 
+func convertCipherSuites(cipherSuites []string) ([]uint16, error) {
+	var result []uint16
+	for _, suite := range cipherSuites {
+		found := false
+		for _, supported := range tls.CipherSuites() {
+			if suite == supported.Name {
+				result = append(result, supported.ID)
+				found = true
+				break
+			}
+		}
+		if !found {
+			return nil, fmt.Errorf("invalid TLS cipher suite: %q", suite)
+		}
+	}
+	return result, nil
+}
+
 func (c TLSSetting) loadCACertPool() (*x509.CertPool, error) {
 	// There is no need to load the System Certs for RootCAs because
 	// if the value is nil, it will default to checking against th System Certs.

diff --git a/config/configtls/configtls_test.go b/config/configtls/configtls_test.go
@@ -6,6 +6,7 @@ package configtls
 import (
 	"crypto/tls"
 	"crypto/x509"
+	"errors"
 	"fmt"
 	"io"
 	"os"
@@ -627,3 +628,46 @@ func TestMinMaxTLSVersions(t *testing.T) {
 		})
 	}
 }
+
+func TestCipherSuites(t *testing.T) {
+	tests := []struct {
+		name       string
+		tlsSetting TLSSetting
+		wantErr    error
+		result     []uint16
+	}{
+		{
+			name:       "no suites set",
+			tlsSetting: TLSSetting{},
+			wantErr:    nil,
+			result:     nil,
+		},
+		{
+			name: "one cipher suite set",
+			tlsSetting: TLSSetting{
+				CipherSuites: []string{"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"},
+			},
+			wantErr: nil,
+			result:  []uint16{tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
+		},
+		{
+			name: "invalid cipher suite set",
+			tlsSetting: TLSSetting{
+				CipherSuites: []string{"FOO"},
+			},
+			wantErr: errors.New(`invalid TLS cipher suite: "FOO"`),
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			config, err := test.tlsSetting.loadTLSConfig()
+			if test.wantErr != nil {
+				assert.Equal(t, test.wantErr, err)
+			} else {
+				assert.NoError(t, err)
+				assert.Equal(t, test.result, config.CipherSuites)
+			}
+		})
+	}
+}