You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@servicecomb.apache.org by GitBox <gi...@apache.org> on 2018/03/27 04:48:04 UTC

[GitHub] asifdxtreme closed pull request #318: SCB-432 Support using default tls cipher suites implements

asifdxtreme closed pull request #318: SCB-432 Support using default tls cipher suites implements
URL: https://github.com/apache/incubator-servicecomb-service-center/pull/318
 
 
   

This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:

As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):

diff --git a/etc/conf/app.conf b/etc/conf/app.conf
index cae53915..02786d95 100644
--- a/etc/conf/app.conf
+++ b/etc/conf/app.conf
@@ -95,7 +95,6 @@ ssl_verify_client = 1
 # minimal tls protocol, [TLSv1.0, TLSv1.1, TLSv1.2]
 ssl_protocols = TLSv1.2
 ssl_ciphers = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
-ssl_client_ciphers = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256
 
 ###################################################################
 # log options
diff --git a/pkg/tlsutil/tlsutil.go b/pkg/tlsutil/tlsutil.go
index a923996c..d7d10fb9 100644
--- a/pkg/tlsutil/tlsutil.go
+++ b/pkg/tlsutil/tlsutil.go
@@ -25,14 +25,7 @@ import (
 	"strings"
 )
 
-var SERVER_TLS_CIPHER_SUITE_MAP = map[string]uint16{
-	"TLS_RSA_WITH_AES_128_GCM_SHA256":       tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
-	"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-	"TLS_RSA_WITH_AES_256_GCM_SHA384":       tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
-	"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-}
-
-var CLIENT_TLS_CIPHER_SUITE_MAP = map[string]uint16{
+var TLS_CIPHER_SUITE_MAP = map[string]uint16{
 	"TLS_RSA_WITH_AES_128_GCM_SHA256":       tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
 	"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
 	"TLS_RSA_WITH_AES_256_GCM_SHA384":       tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
@@ -79,6 +72,10 @@ func toSSLConfig(opts ...SSLConfigOption) (op SSLConfig) {
 }
 
 func ParseSSLCipherSuites(ciphers string, permitTlsCipherSuiteMap map[string]uint16) []uint16 {
+	if len(ciphers) == 0 || len(permitTlsCipherSuiteMap) == 0 {
+		return nil
+	}
+
 	cipherSuiteList := make([]uint16, 0)
 	cipherSuiteNameList := strings.Split(ciphers, ",")
 	for _, cipherSuiteName := range cipherSuiteNameList {
@@ -98,12 +95,8 @@ func ParseSSLCipherSuites(ciphers string, permitTlsCipherSuiteMap map[string]uin
 	return cipherSuiteList
 }
 
-func ParseServerSSLCipherSuites(ciphers string) []uint16 {
-	return ParseSSLCipherSuites(ciphers, SERVER_TLS_CIPHER_SUITE_MAP)
-}
-
-func ParseClientSSLCipherSuites(ciphers string) []uint16 {
-	return ParseSSLCipherSuites(ciphers, CLIENT_TLS_CIPHER_SUITE_MAP)
+func ParseDefaultSSLCipherSuites(ciphers string) []uint16 {
+	return ParseSSLCipherSuites(ciphers, TLS_CIPHER_SUITE_MAP)
 }
 
 func ParseSSLProtocol(sprotocol string) uint16 {
diff --git a/pkg/tlsutil/tlsutil_test.go b/pkg/tlsutil/tlsutil_test.go
new file mode 100644
index 00000000..ebfe94ce
--- /dev/null
+++ b/pkg/tlsutil/tlsutil_test.go
@@ -0,0 +1,38 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package tlsutil
+
+import "testing"
+
+func TestParseDefaultSSLCipherSuites(t *testing.T) {
+	c := ParseDefaultSSLCipherSuites("")
+	if c != nil {
+		t.FailNow()
+	}
+	c = ParseDefaultSSLCipherSuites("TLS_RSA_WITH_AES_128_CBC_SHA256")
+	if len(c) != 1 {
+		t.FailNow()
+	}
+	c = ParseDefaultSSLCipherSuites("a")
+	if len(c) != 0 {
+		t.FailNow()
+	}
+	c = ParseDefaultSSLCipherSuites("a,,b")
+	if len(c) != 0 {
+		t.FailNow()
+	}
+}
diff --git a/server/tls/tls.go b/server/tls/tls.go
index 58057fc2..118bde46 100644
--- a/server/tls/tls.go
+++ b/server/tls/tls.go
@@ -67,8 +67,7 @@ func DefaultClientTLSOptions() []tlsutil.SSLConfigOption {
 		tlsutil.WithVerifyHostName(false),
 		tlsutil.WithVersion(tlsutil.ParseSSLProtocol(beego.AppConfig.DefaultString("ssl_client_min_version",
 			core.ServerInfo.Config.SslMinVersion)), tls.VersionTLS12),
-		tlsutil.WithCipherSuits(tlsutil.ParseClientSSLCipherSuites(
-			beego.AppConfig.DefaultString("ssl_client_ciphers", core.ServerInfo.Config.SslCiphers))),
+		tlsutil.WithCipherSuits(tlsutil.ParseDefaultSSLCipherSuites(beego.AppConfig.String("ssl_client_ciphers"))),
 		tlsutil.WithCA(GetSSLPath("trust.cer")),
 		tlsutil.WithCert(GetSSLPath("server.cer")),
 		tlsutil.WithKey(GetSSLPath("server_key.pem")),
@@ -79,7 +78,7 @@ func DefaultServerTLSOptions() []tlsutil.SSLConfigOption {
 	return []tlsutil.SSLConfigOption{
 		tlsutil.WithVerifyPeer(core.ServerInfo.Config.SslVerifyPeer),
 		tlsutil.WithVersion(tlsutil.ParseSSLProtocol(core.ServerInfo.Config.SslMinVersion), tls.VersionTLS12),
-		tlsutil.WithCipherSuits(tlsutil.ParseServerSSLCipherSuites(core.ServerInfo.Config.SslCiphers)),
+		tlsutil.WithCipherSuits(tlsutil.ParseDefaultSSLCipherSuites(core.ServerInfo.Config.SslCiphers)),
 		tlsutil.WithCA(GetSSLPath("trust.cer")),
 		tlsutil.WithCert(GetSSLPath("server.cer")),
 		tlsutil.WithKey(GetSSLPath("server_key.pem")),


 

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services