From c2ecb101085851cfd3b86d721fa12fca3a7e8192 Mon Sep 17 00:00:00 2001 From: jchacko Date: Wed, 17 Aug 2022 15:11:41 +0200 Subject: [PATCH 1/4] Update sample configuration --- bmcldap.yml.sample | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/bmcldap.yml.sample b/bmcldap.yml.sample index f2482b2..f3230b7 100644 --- a/bmcldap.yml.sample +++ b/bmcldap.yml.sample @@ -3,6 +3,16 @@ ClientCaCert: "/etc/openldap/cacerts/cacert.pem" RemoteServerName: "ldaps.example.com" RemoteServerPortTLS: 636 MinTLSVersion: "1.2" +CipherSuites: + - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" + - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" + - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" + - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" + - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" + - "TLS_RSA_WITH_AES_128_GCM_SHA256" + - "TLS_RSA_WITH_AES_256_GCM_SHA384" + - "TLS_RSA_WITH_AES_128_CBC_SHA" + - "TLS_RSA_WITH_AES_256_CBC_SHA" Debug: true PortTLS: 443 PortInsecure: 386 From 70065174f49a9623472828146a0e8c171e874ead Mon Sep 17 00:00:00 2001 From: jchacko Date: Wed, 17 Aug 2022 15:55:06 +0200 Subject: [PATCH 2/4] Read TLS Ciphers from conf and set TLS config --- cmd/serve.go | 1 + pkg/config/config.go | 1 + pkg/server.go | 30 ++++++++++++++++++++++++++++++ 3 files changed, 32 insertions(+) diff --git a/cmd/serve.go b/cmd/serve.go index 2cb62be..1fdfdd1 100644 --- a/cmd/serve.go +++ b/cmd/serve.go @@ -46,6 +46,7 @@ func serve() { RemoteServerPortTLS: viper.GetInt("RemoteServerPortTLS"), Debug: viper.GetBool("Debug"), MinTLSVersion: viper.GetString("MinTLSVersion"), + CipherSuites: viper.GetStringSlice("CipherSuites"), PortTLS: viper.GetInt("PortTLS"), PortInsecure: viper.GetInt("PortInsecure"), Cert: viper.GetString("Cert"), diff --git a/pkg/config/config.go b/pkg/config/config.go index 2e754d6..adf6920 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -21,6 +21,7 @@ type Config struct { BaseDN string Config string MinTLSVersion string + CipherSuites []string RemoteServerName string RemoteServerPortTLS int CaCert string diff --git a/pkg/server.go b/pkg/server.go index 3fa63d9..1943617 100644 --- a/pkg/server.go +++ b/pkg/server.go @@ -86,9 +86,39 @@ func (bmcLdap *BmcLdap) LoadTlsConfig(c *config.Config) *tls.Config { }).Warning("Using TLS 1.1, ignoring unsupported version " + c.MinTLSVersion) } + // Please Note: TLSv1.3 Ciphers cannot be configured as of today + var cipherSuitesTLS []uint16 + + if len(c.CipherSuites) > 0 { + + // Check if the Cipher Keys Belong to Secure Ciphers + for _, secureCipher := range tls.CipherSuites() { + if sliceContains(c.CipherSuites, secureCipher.Name) { + cipherSuitesTLS = append(cipherSuitesTLS, secureCipher.ID) + } + } + // In case anyone wants to use Insecure Ciphers for compatibility issues + for _, inSecureCipher := range tls.InsecureCipherSuites() { + if sliceContains(c.CipherSuites, inSecureCipher.Name) { + cipherSuitesTLS = append(cipherSuitesTLS, inSecureCipher.ID) + } + } + } return &tls.Config{ Certificates: []tls.Certificate{cert}, InsecureSkipVerify: true, MinVersion: uint16(minVersion), + CipherSuites: cipherSuitesTLS, } } + +// A function to check if a slice contains a string +func sliceContains(s []string, str string) bool { + for _, v := range s { + if v == str { + return true + } + } + + return false +} From 5f550d1334f4dc73e2fdedfdf7ac8c454ce4010e Mon Sep 17 00:00:00 2001 From: jchacko Date: Wed, 17 Aug 2022 17:34:38 +0200 Subject: [PATCH 3/4] Update setup test case --- pkg/backend_test.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/backend_test.go b/pkg/backend_test.go index 2225725..7aa9079 100644 --- a/pkg/backend_test.go +++ b/pkg/backend_test.go @@ -21,6 +21,7 @@ func setup() (*Config, *logrus.Logger) { RemoteServerPortTLS: 636, Debug: true, MinTLSVersion: "1.2", + CipherSuites: []string{"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"}, PortTLS: 443, PortInsecure: 386, Cert: "/etc/bmcldap/server.pem", From 59f9cf43e1ab55e69c5efd871ed50cc1a0e5f6df Mon Sep 17 00:00:00 2001 From: jchacko Date: Wed, 17 Aug 2022 18:00:26 +0200 Subject: [PATCH 4/4] Combine Ciphers to one --- pkg/server.go | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/pkg/server.go b/pkg/server.go index 1943617..4ae41c3 100644 --- a/pkg/server.go +++ b/pkg/server.go @@ -86,23 +86,19 @@ func (bmcLdap *BmcLdap) LoadTlsConfig(c *config.Config) *tls.Config { }).Warning("Using TLS 1.1, ignoring unsupported version " + c.MinTLSVersion) } - // Please Note: TLSv1.3 Ciphers cannot be configured as of today + // Please Note: TLSv1.3 Ciphers cannot be defined as of today var cipherSuitesTLS []uint16 if len(c.CipherSuites) > 0 { - - // Check if the Cipher Keys Belong to Secure Ciphers - for _, secureCipher := range tls.CipherSuites() { + // Including Both Secure and Insecure Ciphers, in-case anyone wants to use Insecure ones for compatibility reasons + allCipherSuites := append(tls.CipherSuites(), tls.InsecureCipherSuites()...) + // Check if the Cipher Keys Belong to Ciphers supported by Go TLS module + for _, secureCipher := range allCipherSuites { if sliceContains(c.CipherSuites, secureCipher.Name) { cipherSuitesTLS = append(cipherSuitesTLS, secureCipher.ID) } } - // In case anyone wants to use Insecure Ciphers for compatibility issues - for _, inSecureCipher := range tls.InsecureCipherSuites() { - if sliceContains(c.CipherSuites, inSecureCipher.Name) { - cipherSuitesTLS = append(cipherSuitesTLS, inSecureCipher.ID) - } - } + } return &tls.Config{ Certificates: []tls.Certificate{cert},