github.com/anuvu/nomad@v0.8.7-atom1/helper/tlsutil/config.go (about) 1 package tlsutil 2 3 import ( 4 "crypto/tls" 5 "crypto/x509" 6 "fmt" 7 "io/ioutil" 8 "net" 9 "strings" 10 "time" 11 12 "github.com/hashicorp/nomad/nomad/structs/config" 13 ) 14 15 // supportedTLSVersions are the current TLS versions that Nomad supports 16 var supportedTLSVersions = map[string]uint16{ 17 "tls10": tls.VersionTLS10, 18 "tls11": tls.VersionTLS11, 19 "tls12": tls.VersionTLS12, 20 } 21 22 // supportedTLSCiphers are the complete list of TLS ciphers supported by Nomad 23 var supportedTLSCiphers = map[string]uint16{ 24 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305": tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 25 "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305": tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 26 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 27 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 28 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 29 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 30 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256": tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 31 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 32 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 33 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 34 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 35 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 36 "TLS_RSA_WITH_AES_128_GCM_SHA256": tls.TLS_RSA_WITH_AES_128_GCM_SHA256, 37 "TLS_RSA_WITH_AES_256_GCM_SHA384": tls.TLS_RSA_WITH_AES_256_GCM_SHA384, 38 "TLS_RSA_WITH_AES_128_CBC_SHA256": tls.TLS_RSA_WITH_AES_128_CBC_SHA256, 39 "TLS_RSA_WITH_AES_128_CBC_SHA": tls.TLS_RSA_WITH_AES_128_CBC_SHA, 40 "TLS_RSA_WITH_AES_256_CBC_SHA": tls.TLS_RSA_WITH_AES_256_CBC_SHA, 41 } 42 43 // defaultTLSCiphers are the TLS Ciphers that are supported by default 44 var defaultTLSCiphers = []string{ 45 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", 46 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", 47 "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", 48 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", 49 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", 50 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", 51 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", 52 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", 53 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", 54 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", 55 } 56 57 // RegionSpecificWrapper is used to invoke a static Region and turns a 58 // RegionWrapper into a Wrapper type. 59 func RegionSpecificWrapper(region string, tlsWrap RegionWrapper) Wrapper { 60 if tlsWrap == nil { 61 return nil 62 } 63 return func(conn net.Conn) (net.Conn, error) { 64 return tlsWrap(region, conn) 65 } 66 } 67 68 // RegionWrapper is a function that is used to wrap a non-TLS connection and 69 // returns an appropriate TLS connection or error. This takes a Region as an 70 // argument. 71 type RegionWrapper func(region string, conn net.Conn) (net.Conn, error) 72 73 // Wrapper wraps a connection and enables TLS on it. 74 type Wrapper func(conn net.Conn) (net.Conn, error) 75 76 // Config used to create tls.Config 77 type Config struct { 78 // VerifyIncoming is used to verify the authenticity of incoming connections. 79 // This means that TCP requests are forbidden, only allowing for TLS. TLS connections 80 // must match a provided certificate authority. This can be used to force client auth. 81 VerifyIncoming bool 82 83 // VerifyOutgoing is used to verify the authenticity of outgoing connections. 84 // This means that TLS requests are used, and TCP requests are not made. TLS connections 85 // must match a provided certificate authority. This is used to verify authenticity of 86 // server nodes. 87 VerifyOutgoing bool 88 89 // VerifyServerHostname is used to enable hostname verification of servers. This 90 // ensures that the certificate presented is valid for server.<datacenter>.<domain>. 91 // This prevents a compromised client from being restarted as a server, and then 92 // intercepting request traffic as well as being added as a raft peer. This should be 93 // enabled by default with VerifyOutgoing, but for legacy reasons we cannot break 94 // existing clients. 95 VerifyServerHostname bool 96 97 // CAFile is a path to a certificate authority file. This is used with VerifyIncoming 98 // or VerifyOutgoing to verify the TLS connection. 99 CAFile string 100 101 // CertFile is used to provide a TLS certificate that is used for serving TLS connections. 102 // Must be provided to serve TLS connections. 103 CertFile string 104 105 // KeyFile is used to provide a TLS key that is used for serving TLS connections. 106 // Must be provided to serve TLS connections. 107 KeyFile string 108 109 // KeyLoader dynamically reloads TLS configuration. 110 KeyLoader *config.KeyLoader 111 112 // CipherSuites have a default safe configuration, or operators can override 113 // these values for acceptable safe alternatives. 114 CipherSuites []uint16 115 116 // PreferServerCipherSuites controls whether the server selects the 117 // client's most preferred ciphersuite, or the server's most preferred 118 // ciphersuite. If true then the server's preference, as expressed in 119 // the order of elements in CipherSuites, is used. 120 PreferServerCipherSuites bool 121 122 // MinVersion contains the minimum SSL/TLS version that is accepted. 123 MinVersion uint16 124 } 125 126 func NewTLSConfiguration(newConf *config.TLSConfig, verifyIncoming, verifyOutgoing bool) (*Config, error) { 127 ciphers, err := ParseCiphers(newConf.TLSCipherSuites) 128 if err != nil { 129 return nil, err 130 } 131 132 minVersion, err := ParseMinVersion(newConf.TLSMinVersion) 133 if err != nil { 134 return nil, err 135 } 136 137 return &Config{ 138 VerifyIncoming: verifyIncoming, 139 VerifyOutgoing: verifyOutgoing, 140 VerifyServerHostname: newConf.VerifyServerHostname, 141 CAFile: newConf.CAFile, 142 CertFile: newConf.CertFile, 143 KeyFile: newConf.KeyFile, 144 KeyLoader: newConf.GetKeyLoader(), 145 CipherSuites: ciphers, 146 MinVersion: minVersion, 147 PreferServerCipherSuites: newConf.TLSPreferServerCipherSuites, 148 }, nil 149 } 150 151 // AppendCA opens and parses the CA file and adds the certificates to 152 // the provided CertPool. 153 func (c *Config) AppendCA(pool *x509.CertPool) error { 154 if c.CAFile == "" { 155 return nil 156 } 157 158 // Read the file 159 data, err := ioutil.ReadFile(c.CAFile) 160 if err != nil { 161 return fmt.Errorf("Failed to read CA file: %v", err) 162 } 163 164 // Read certificates and return an error if no valid certificates were 165 // found. Unfortunately it is very difficult to return meaningful 166 // errors as PEM files are extremely permissive. 167 if !pool.AppendCertsFromPEM(data) { 168 return fmt.Errorf("Failed to parse any valid certificates in CA file: %s", c.CAFile) 169 } 170 171 return nil 172 } 173 174 // LoadKeyPair is used to open and parse a certificate and key file 175 func (c *Config) LoadKeyPair() (*tls.Certificate, error) { 176 if c.CertFile == "" || c.KeyFile == "" { 177 return nil, nil 178 } 179 180 if c.KeyLoader == nil { 181 return nil, fmt.Errorf("No Keyloader object to perform LoadKeyPair") 182 } 183 184 cert, err := c.KeyLoader.LoadKeyPair(c.CertFile, c.KeyFile) 185 if err != nil { 186 return nil, fmt.Errorf("Failed to load cert/key pair: %v", err) 187 } 188 return cert, err 189 } 190 191 // OutgoingTLSConfig generates a TLS configuration for outgoing 192 // requests. It will return a nil config if this configuration should 193 // not use TLS for outgoing connections. Provides a callback to 194 // fetch certificates, allowing for reloading on the fly. 195 func (c *Config) OutgoingTLSConfig() (*tls.Config, error) { 196 // If VerifyServerHostname is true, that implies VerifyOutgoing 197 if c.VerifyServerHostname { 198 c.VerifyOutgoing = true 199 } 200 if !c.VerifyOutgoing { 201 return nil, nil 202 } 203 // Create the tlsConfig 204 tlsConfig := &tls.Config{ 205 RootCAs: x509.NewCertPool(), 206 InsecureSkipVerify: true, 207 CipherSuites: c.CipherSuites, 208 MinVersion: c.MinVersion, 209 PreferServerCipherSuites: c.PreferServerCipherSuites, 210 } 211 if c.VerifyServerHostname { 212 tlsConfig.InsecureSkipVerify = false 213 } 214 215 // Ensure we have a CA if VerifyOutgoing is set 216 if c.VerifyOutgoing && c.CAFile == "" { 217 return nil, fmt.Errorf("VerifyOutgoing set, and no CA certificate provided!") 218 } 219 220 // Parse the CA cert if any 221 err := c.AppendCA(tlsConfig.RootCAs) 222 if err != nil { 223 return nil, err 224 } 225 226 cert, err := c.LoadKeyPair() 227 if err != nil { 228 return nil, err 229 } else if cert != nil { 230 tlsConfig.GetCertificate = c.KeyLoader.GetOutgoingCertificate 231 tlsConfig.GetClientCertificate = c.KeyLoader.GetClientCertificate 232 } 233 234 return tlsConfig, nil 235 } 236 237 // OutgoingTLSWrapper returns a a Wrapper based on the OutgoingTLS 238 // configuration. If hostname verification is on, the wrapper 239 // will properly generate the dynamic server name for verification. 240 func (c *Config) OutgoingTLSWrapper() (RegionWrapper, error) { 241 // Get the TLS config 242 tlsConfig, err := c.OutgoingTLSConfig() 243 if err != nil { 244 return nil, err 245 } 246 247 // Check if TLS is not enabled 248 if tlsConfig == nil { 249 return nil, nil 250 } 251 252 // Generate the wrapper based on hostname verification 253 if c.VerifyServerHostname { 254 wrapper := func(region string, conn net.Conn) (net.Conn, error) { 255 conf := tlsConfig.Clone() 256 conf.ServerName = "server." + region + ".nomad" 257 return WrapTLSClient(conn, conf) 258 } 259 return wrapper, nil 260 } else { 261 wrapper := func(dc string, c net.Conn) (net.Conn, error) { 262 return WrapTLSClient(c, tlsConfig) 263 } 264 return wrapper, nil 265 } 266 267 } 268 269 // Wrap a net.Conn into a client tls connection, performing any 270 // additional verification as needed. 271 // 272 // As of go 1.3, crypto/tls only supports either doing no certificate 273 // verification, or doing full verification including of the peer's 274 // DNS name. For consul, we want to validate that the certificate is 275 // signed by a known CA, but because consul doesn't use DNS names for 276 // node names, we don't verify the certificate DNS names. Since go 1.3 277 // no longer supports this mode of operation, we have to do it 278 // manually. 279 func WrapTLSClient(conn net.Conn, tlsConfig *tls.Config) (net.Conn, error) { 280 var err error 281 var tlsConn *tls.Conn 282 283 tlsConn = tls.Client(conn, tlsConfig) 284 285 // If crypto/tls is doing verification, there's no need to do 286 // our own. 287 if tlsConfig.InsecureSkipVerify == false { 288 return tlsConn, nil 289 } 290 291 if err = tlsConn.Handshake(); err != nil { 292 tlsConn.Close() 293 return nil, err 294 } 295 296 // The following is lightly-modified from the doFullHandshake 297 // method in crypto/tls's handshake_client.go. 298 opts := x509.VerifyOptions{ 299 Roots: tlsConfig.RootCAs, 300 CurrentTime: time.Now(), 301 DNSName: "", 302 Intermediates: x509.NewCertPool(), 303 } 304 305 certs := tlsConn.ConnectionState().PeerCertificates 306 for i, cert := range certs { 307 if i == 0 { 308 continue 309 } 310 opts.Intermediates.AddCert(cert) 311 } 312 313 _, err = certs[0].Verify(opts) 314 if err != nil { 315 tlsConn.Close() 316 return nil, err 317 } 318 319 return tlsConn, err 320 } 321 322 // IncomingTLSConfig generates a TLS configuration for incoming requests 323 func (c *Config) IncomingTLSConfig() (*tls.Config, error) { 324 // Create the tlsConfig 325 tlsConfig := &tls.Config{ 326 ClientCAs: x509.NewCertPool(), 327 ClientAuth: tls.NoClientCert, 328 CipherSuites: c.CipherSuites, 329 MinVersion: c.MinVersion, 330 PreferServerCipherSuites: c.PreferServerCipherSuites, 331 } 332 333 // Parse the CA cert if any 334 err := c.AppendCA(tlsConfig.ClientCAs) 335 if err != nil { 336 return nil, err 337 } 338 339 // Add cert/key 340 cert, err := c.LoadKeyPair() 341 if err != nil { 342 return nil, err 343 } else if cert != nil { 344 tlsConfig.GetCertificate = c.KeyLoader.GetOutgoingCertificate 345 } 346 347 // Check if we require verification 348 if c.VerifyIncoming { 349 tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert 350 if c.CAFile == "" { 351 return nil, fmt.Errorf("VerifyIncoming set, and no CA certificate provided!") 352 } 353 if cert == nil { 354 return nil, fmt.Errorf("VerifyIncoming set, and no Cert/Key pair provided!") 355 } 356 } 357 358 return tlsConfig, nil 359 } 360 361 // ParseCiphers parses ciphersuites from the comma-separated string into 362 // recognized slice 363 func ParseCiphers(cipherStr string) ([]uint16, error) { 364 suites := []uint16{} 365 366 cipherStr = strings.TrimSpace(cipherStr) 367 368 var ciphers []string 369 if cipherStr == "" { 370 ciphers = defaultTLSCiphers 371 372 } else { 373 ciphers = strings.Split(cipherStr, ",") 374 } 375 for _, cipher := range ciphers { 376 c, ok := supportedTLSCiphers[cipher] 377 if !ok { 378 return suites, fmt.Errorf("unsupported TLS cipher %q", cipher) 379 } 380 suites = append(suites, c) 381 } 382 383 return suites, nil 384 } 385 386 // ParseMinVersion parses the specified minimum TLS version for the Nomad agent 387 func ParseMinVersion(version string) (uint16, error) { 388 if version == "" { 389 return supportedTLSVersions["tls12"], nil 390 } 391 392 vers, ok := supportedTLSVersions[version] 393 if !ok { 394 return 0, fmt.Errorf("unsupported TLS version %q", version) 395 } 396 397 return vers, nil 398 }