Merge pull request #2 from jibsonline/Option_to_specify_SSL_Ciphers

Option to specify ssl ciphers
bmc-toolbox · Aug 18, 2022 · 834df7c · 834df7c
2 parents 36512f2 + 59f9cf4
commit 834df7c
Show file tree

Hide file tree

Showing 5 changed files with 39 additions and 0 deletions.
diff --git a/bmcldap.yml.sample b/bmcldap.yml.sample
@@ -3,6 +3,16 @@ ClientCaCert: "/etc/openldap/cacerts/cacert.pem"
 RemoteServerName: "ldaps.example.com"
 RemoteServerPortTLS: 636
 MinTLSVersion: "1.2"
+CipherSuites:
+  - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
+  - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
+  - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
+  - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
+  - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
+  - "TLS_RSA_WITH_AES_128_GCM_SHA256"
+  - "TLS_RSA_WITH_AES_256_GCM_SHA384"
+  - "TLS_RSA_WITH_AES_128_CBC_SHA"
+  - "TLS_RSA_WITH_AES_256_CBC_SHA"
 Debug: true
 PortTLS: 443
 PortInsecure: 386

diff --git a/cmd/serve.go b/cmd/serve.go
@@ -46,6 +46,7 @@ func serve() {
 		RemoteServerPortTLS:     viper.GetInt("RemoteServerPortTLS"),
 		Debug:                   viper.GetBool("Debug"),
 		MinTLSVersion:           viper.GetString("MinTLSVersion"),
+		CipherSuites:            viper.GetStringSlice("CipherSuites"),
 		PortTLS:                 viper.GetInt("PortTLS"),
 		PortInsecure:            viper.GetInt("PortInsecure"),
 		Cert:                    viper.GetString("Cert"),

diff --git a/pkg/backend_test.go b/pkg/backend_test.go
@@ -21,6 +21,7 @@ func setup() (*Config, *logrus.Logger) {
 		RemoteServerPortTLS: 636,
 		Debug:               true,
 		MinTLSVersion:       "1.2",
+		CipherSuites:        []string{"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"},
 		PortTLS:             443,
 		PortInsecure:        386,
 		Cert:                "/etc/bmcldap/server.pem",

diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -21,6 +21,7 @@ type Config struct {
 	BaseDN              string
 	Config              string
 	MinTLSVersion       string
+	CipherSuites        []string
 	RemoteServerName    string
 	RemoteServerPortTLS int
 	CaCert              string

diff --git a/pkg/server.go b/pkg/server.go
@@ -86,9 +86,35 @@ func (bmcLdap *BmcLdap) LoadTlsConfig(c *config.Config) *tls.Config {
 		}).Warning("Using TLS 1.1, ignoring unsupported version " + c.MinTLSVersion)
 	}
 
+	// Please Note: TLSv1.3 Ciphers cannot be defined as of today
+	var cipherSuitesTLS []uint16
+
+	if len(c.CipherSuites) > 0 {
+		// Including Both Secure and Insecure Ciphers, in-case anyone wants to use Insecure ones for compatibility reasons
+		allCipherSuites := append(tls.CipherSuites(), tls.InsecureCipherSuites()...)
+		// Check if the Cipher Keys Belong to Ciphers supported by Go TLS module
+		for _, secureCipher := range allCipherSuites {
+			if sliceContains(c.CipherSuites, secureCipher.Name) {
+				cipherSuitesTLS = append(cipherSuitesTLS, secureCipher.ID)
+			}
+		}
+
+	}
 	return &tls.Config{
 		Certificates:       []tls.Certificate{cert},
 		InsecureSkipVerify: true,
 		MinVersion:         uint16(minVersion),
+		CipherSuites:       cipherSuitesTLS,
 	}
 }
+
+// A function to check if a slice contains a string
+func sliceContains(s []string, str string) bool {
+	for _, v := range s {
+		if v == str {
+			return true
+		}
+	}
+
+	return false
+}