Skip to content

Commit

Permalink
[configtls] support setting cipher suites (open-telemetry#9168)
Browse files Browse the repository at this point in the history
**Description:**
Add `cipher_suites` to configtls:
Users can specify a list of cipher suites to pick from. If left blank, a
safe default list is used.

**Link to tracking Issue:**
Fixes open-telemetry#8105

**Testing:**
Unit tests

**Documentation:**
godoc and README

---------

Co-authored-by: Alex Boten <[email protected]>
  • Loading branch information
atoulme and Alex Boten authored Jan 17, 2024
1 parent 51b0e4d commit c1599fe
Show file tree
Hide file tree
Showing 4 changed files with 116 additions and 0 deletions.
26 changes: 26 additions & 0 deletions .chloggen/cipher_suites.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
# Use this changelog template to create an entry for release notes.

# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
change_type: enhancement

# The name of the component, or a single word describing the area of concern, (e.g. otlpreceiver)
component: configtls

# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
note: add `cipher_suites` to configtls.

# One or more tracking issues or pull requests related to the change
issues: [8105]

# (Optional) One or more lines of additional information to render under the primary note.
# These lines will be padded with 2 spaces and then inserted directly into the document.
# Use pipe (|) for multiline entries.
subtext: |
Users can specify a list of cipher suites to pick from. If left blank, a safe default list is used.
# Optional: The change log or logs in which this entry should be included.
# e.g. '[user]' or '[user, api]'
# Include 'user' if the change is relevant to end users.
# Include 'api' if there is a change to a library API.
# Default: '[user]'
change_logs: []
11 changes: 11 additions & 0 deletions config/configtls/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,17 @@ __IMPORTANT__: TLS 1.0 and 1.1 are deprecated due to known vulnerabilities and s
- `max_version` (default = "" handled by [crypto/tls](https://github.com/golang/go/blob/ed9db1d36ad6ef61095d5941ad9ee6da7ab6d05a/src/crypto/tls/common.go#L700) - currently TLS 1.3): Maximum acceptable TLS version.
- options: ["1.0", "1.1", "1.2", "1.3"]

Explicit cipher suites can be set. If left blank, a safe default list is used. See https://go.dev/src/crypto/tls/cipher_suites.go for a list of supported cipher suites.
- `cipher_suites`: (default = []): List of cipher suites to use.

Example:
```
cipher_suites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
```

Additionally certificates may be reloaded by setting the below configuration.

- `reload_interval` (optional) : ReloadInterval specifies the duration after which the certificate will be reloaded.
Expand Down
30 changes: 30 additions & 0 deletions config/configtls/configtls.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ package configtls // import "go.opentelemetry.io/collector/config/configtls"
import (
"crypto/tls"
"crypto/x509"
"errors"
"fmt"
"os"
"path/filepath"
Expand Down Expand Up @@ -54,6 +55,11 @@ type TLSSetting struct {
// If not set, refer to crypto/tls for defaults. (optional)
MaxVersion string `mapstructure:"max_version"`

// CipherSuites is a list of TLS cipher suites that the TLS transport can use.
// If left blank, a safe default list is used.
// See https://go.dev/src/crypto/tls/cipher_suites.go for a list of supported cipher suites.
CipherSuites []string `mapstructure:"cipher_suites"`

// ReloadInterval specifies the duration after which the certificate will be reloaded
// If not set, it will never be reloaded (optional)
ReloadInterval time.Duration `mapstructure:"reload_interval"`
Expand Down Expand Up @@ -175,16 +181,40 @@ func (c TLSSetting) loadTLSConfig() (*tls.Config, error) {
if err != nil {
return nil, fmt.Errorf("invalid TLS max_version: %w", err)
}
cipherSuites, err := convertCipherSuites(c.CipherSuites)
if err != nil {
return nil, err
}

return &tls.Config{
RootCAs: certPool,
GetCertificate: getCertificate,
GetClientCertificate: getClientCertificate,
MinVersion: minTLS,
MaxVersion: maxTLS,
CipherSuites: cipherSuites,
}, nil
}

func convertCipherSuites(cipherSuites []string) ([]uint16, error) {
var result []uint16
var errs []error
for _, suite := range cipherSuites {
found := false
for _, supported := range tls.CipherSuites() {
if suite == supported.Name {
result = append(result, supported.ID)
found = true
break
}
}
if !found {
errs = append(errs, fmt.Errorf("invalid TLS cipher suite: %q", suite))
}
}
return result, errors.Join(errs...)
}

func (c TLSSetting) loadCACertPool() (*x509.CertPool, error) {
// There is no need to load the System Certs for RootCAs because
// if the value is nil, it will default to checking against th System Certs.
Expand Down
49 changes: 49 additions & 0 deletions config/configtls/configtls_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -627,3 +627,52 @@ func TestMinMaxTLSVersions(t *testing.T) {
})
}
}

func TestCipherSuites(t *testing.T) {
tests := []struct {
name string
tlsSetting TLSSetting
wantErr string
result []uint16
}{
{
name: "no suites set",
tlsSetting: TLSSetting{},
result: nil,
},
{
name: "one cipher suite set",
tlsSetting: TLSSetting{
CipherSuites: []string{"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"},
},
result: []uint16{tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
},
{
name: "invalid cipher suite set",
tlsSetting: TLSSetting{
CipherSuites: []string{"FOO"},
},
wantErr: `invalid TLS cipher suite: "FOO"`,
},
{
name: "multiple invalid cipher suites set",
tlsSetting: TLSSetting{
CipherSuites: []string{"FOO", "BAR"},
},
wantErr: `invalid TLS cipher suite: "FOO"
invalid TLS cipher suite: "BAR"`,
},
}

for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
config, err := test.tlsSetting.loadTLSConfig()
if test.wantErr != "" {
assert.EqualError(t, err, test.wantErr)
} else {
assert.NoError(t, err)
assert.Equal(t, test.result, config.CipherSuites)
}
})
}
}

0 comments on commit c1599fe

Please sign in to comment.