From 4363fb1ef4676df2b9d99e3630e1b568141597c4 Mon Sep 17 00:00:00 2001 From: baojiangnan Date: Mon, 24 Jan 2022 20:02:57 +0800 Subject: [PATCH] disable insecure cipher suites This commit removes the following cipher suites that are known to be insecure: TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA TLS_ECDHE_RSA_WITH_RC4_128_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 And this commit deletes the tlsVersions of tls1.0 and tls1.1. The tls1.2 is the minimal supported tls version for creating a safer tls configuration. Signed-off-by: david.bao --- registry/proxy/proxyblobstore_test.go | 1 - registry/registry.go | 23 +++++++++++------------ registry/registry_test.go | 21 ++++++++++++++++++++- registry/storage/purgeuploads_test.go | 2 +- 4 files changed, 32 insertions(+), 15 deletions(-) diff --git a/registry/proxy/proxyblobstore_test.go b/registry/proxy/proxyblobstore_test.go index e95bf20c..2ba26738 100644 --- a/registry/proxy/proxyblobstore_test.go +++ b/registry/proxy/proxyblobstore_test.go @@ -76,7 +76,6 @@ func (sbs statsBlobStore) ServeBlob(ctx context.Context, w http.ResponseWriter, } func (sbs statsBlobStore) Stat(ctx context.Context, dgst digest.Digest) (distribution.Descriptor, error) { - sbsMu.Lock() sbs.stats["stat"]++ sbsMu.Unlock() diff --git a/registry/registry.go b/registry/registry.go index 229d1339..625102df 100644 --- a/registry/registry.go +++ b/registry/registry.go @@ -37,22 +37,16 @@ import ( // a map of TLS cipher suite names to constants in https://golang.org/pkg/crypto/tls/#pkg-constants var cipherSuites = map[string]uint16{ // TLS 1.0 - 1.2 cipher suites - "TLS_RSA_WITH_RC4_128_SHA": tls.TLS_RSA_WITH_RC4_128_SHA, "TLS_RSA_WITH_3DES_EDE_CBC_SHA": tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA, "TLS_RSA_WITH_AES_128_CBC_SHA": tls.TLS_RSA_WITH_AES_128_CBC_SHA, "TLS_RSA_WITH_AES_256_CBC_SHA": tls.TLS_RSA_WITH_AES_256_CBC_SHA, - "TLS_RSA_WITH_AES_128_CBC_SHA256": tls.TLS_RSA_WITH_AES_128_CBC_SHA256, "TLS_RSA_WITH_AES_128_GCM_SHA256": tls.TLS_RSA_WITH_AES_128_GCM_SHA256, "TLS_RSA_WITH_AES_256_GCM_SHA384": tls.TLS_RSA_WITH_AES_256_GCM_SHA384, - "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA": tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, - "TLS_ECDHE_RSA_WITH_RC4_128_SHA": tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256": tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, @@ -82,8 +76,6 @@ var defaultCipherSuites = []uint16{ var defaultTLSVersionStr = "tls1.2" var tlsVersions = map[string]uint16{ // user specified values - "tls1.0": tls.VersionTLS10, - "tls1.1": tls.VersionTLS11, "tls1.2": tls.VersionTLS12, "tls1.3": tls.VersionTLS13, } @@ -230,11 +222,18 @@ func (registry *Registry) ListenAndServe() error { } dcontext.GetLogger(registry.app).Infof("restricting TLS version to %s or higher", config.HTTP.TLS.MinimumTLS) - tlsCipherSuites, err := getCipherSuites(config.HTTP.TLS.CipherSuites) - if err != nil { - return err + var tlsCipherSuites []uint16 + // configuring cipher suites are no longer supported after the tls1.3. + // (https://go.dev/blog/tls-cipher-suites) + if tlsMinVersion > tls.VersionTLS12 { + dcontext.GetLogger(registry.app).Warnf("restricting TLS cipher suites to empty. Because configuring cipher suites is no longer supported in %s", config.HTTP.TLS.MinimumTLS) + } else { + tlsCipherSuites, err = getCipherSuites(config.HTTP.TLS.CipherSuites) + if err != nil { + return err + } + dcontext.GetLogger(registry.app).Infof("restricting TLS cipher suites to: %s", strings.Join(getCipherSuiteNames(tlsCipherSuites), ",")) } - dcontext.GetLogger(registry.app).Infof("restricting TLS cipher suites to: %s", strings.Join(getCipherSuiteNames(tlsCipherSuites), ",")) tlsConf := &tls.Config{ ClientAuth: tls.NoClientCert, diff --git a/registry/registry_test.go b/registry/registry_test.go index e0d5c218..15c91363 100644 --- a/registry/registry_test.go +++ b/registry/registry_test.go @@ -135,7 +135,10 @@ func TestGetCipherSuite(t *testing.T) { ) } - resp, err = getCipherSuites([]string{"TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_AES_128_GCM_SHA256"}) + resp, err = getCipherSuites([]string{ + "TLS_RSA_WITH_AES_128_CBC_SHA", + "TLS_AES_128_GCM_SHA256", + }) if err != nil || len(resp) != 2 || resp[0] != tls.TLS_RSA_WITH_AES_128_CBC_SHA || resp[1] != tls.TLS_AES_128_GCM_SHA256 { t.Errorf("expected cipher suites %q, got %q", @@ -148,6 +151,22 @@ func TestGetCipherSuite(t *testing.T) { if err == nil { t.Error("did not return expected error about unknown cipher suite") } + + var insecureCipherSuites = []string{ + "TLS_RSA_WITH_RC4_128_SHA", + "TLS_RSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", + "TLS_ECDHE_RSA_WITH_RC4_128_SHA", + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", + } + + for _, suite := range insecureCipherSuites { + _, err = getCipherSuites([]string{suite}) + if err == nil { + t.Errorf("Unexpected insecure cipher suite: %s", suite) + } + } } func buildRegistryTLSConfig(name, keyType string, cipherSuites []string) (*registryTLSConfig, error) { diff --git a/registry/storage/purgeuploads_test.go b/registry/storage/purgeuploads_test.go index 7ee127c0..4949ad18 100644 --- a/registry/storage/purgeuploads_test.go +++ b/registry/storage/purgeuploads_test.go @@ -46,7 +46,7 @@ func TestPurgeGather(t *testing.T) { fs, ctx := testUploadFS(t, uploadCount, "test-repo", time.Now()) uploadData, errs := getOutstandingUploads(ctx, fs) if len(errs) != 0 { - t.Errorf("Unexepected errors: %q", errs) + t.Errorf("Unexpected errors: %q", errs) } if len(uploadData) != uploadCount { t.Errorf("Unexpected upload file count: %d != %d", uploadCount, len(uploadData))