Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

credentials: Apply defaults to TLS configs provided through GetConfigForClient #7754

Merged
merged 6 commits into from
Oct 22, 2024
+324 −99
Merged

credentials: Apply defaults to TLS configs provided through GetConfigForClient #7754

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
87016c7
Apply secure defaults to TLS configs provided through GetConfigForClient
arjan-bal Oct 17, 2024
67dfb32
Add cases which return nil from GetConfigForClient
arjan-bal Oct 17, 2024
042ec4b
better variable names
arjan-bal Oct 17, 2024
0b1146d
Use a getter for tls config in tests
arjan-bal Oct 18, 2024
5da078b
Inline TLS configs in test cases
arjan-bal Oct 21, 2024
0922abc
Merge remote-tracking branch 'source/master' into defaults-in-get-con…
arjan-bal Oct 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 22 additions & 7 deletions credentials/tls.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -200,25 +200,40 @@ var tls12ForbiddenCipherSuites = map[uint16]struct{}{

// NewTLS uses c to construct a TransportCredentials based on TLS.
func NewTLS(c *tls.Config) TransportCredentials {
tc := &tlsCreds{credinternal.CloneTLSConfig(c)}
tc.config.NextProtos = credinternal.AppendH2ToNextProtos(tc.config.NextProtos)
config := applyDefaults(c)
if config.GetConfigForClient != nil {
oldFn := config.GetConfigForClient
config.GetConfigForClient = func(hello *tls.ClientHelloInfo) (*tls.Config, error) {
cfgForClient, err := oldFn(hello)
if err != nil || cfgForClient == nil {
return cfgForClient, err
gtcooke94 marked this conversation as resolved.
Show resolved Hide resolved
}
return applyDefaults(cfgForClient), nil
}
}
return &tlsCreds{config: config}
}

func applyDefaults(c *tls.Config) *tls.Config {
config := credinternal.CloneTLSConfig(c)
config.NextProtos = credinternal.AppendH2ToNextProtos(config.NextProtos)
// If the user did not configure a MinVersion and did not configure a
// MaxVersion < 1.2, use MinVersion=1.2, which is required by
// https://datatracker.ietf.org/doc/html/rfc7540#section-9.2
if tc.config.MinVersion == 0 && (tc.config.MaxVersion == 0 || tc.config.MaxVersion >= tls.VersionTLS12) {
tc.config.MinVersion = tls.VersionTLS12
if config.MinVersion == 0 && (config.MaxVersion == 0 || config.MaxVersion >= tls.VersionTLS12) {
config.MinVersion = tls.VersionTLS12
}
// If the user did not configure CipherSuites, use all "secure" cipher
// suites reported by the TLS package, but remove some explicitly forbidden
// by https://datatracker.ietf.org/doc/html/rfc7540#appendix-A
if tc.config.CipherSuites == nil {
if config.CipherSuites == nil {
for _, cs := range tls.CipherSuites() {
if _, ok := tls12ForbiddenCipherSuites[cs.ID]; !ok {
tc.config.CipherSuites = append(tc.config.CipherSuites, cs.ID)
config.CipherSuites = append(config.CipherSuites, cs.ID)
}
}
}
return tc
return config
}

// NewClientTLSFromCert constructs TLS credentials from the provided root
Expand Down
Loading