Skip to content

Commit

Permalink
OM-193 - added tls-cipher-suites config parameter (#122)
Browse files Browse the repository at this point in the history
added tls-cipher-suites config section with the Agent config block
  • Loading branch information
mphanias authored Jun 18, 2024
1 parent 91d6631 commit d1574b4
Show file tree
Hide file tree
Showing 5 changed files with 61 additions and 1 deletion.
8 changes: 7 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -356,6 +356,11 @@ make release-docker-multi-arch
# Root CA to validate client certificates (for mutual TLS)
root_ca = ""
# Golang - refer documentation https://pkg.go.dev/crypto/tls#pkg-constants of golang CipherSuites for TLS >=1.2 (both supported and Insecure)
# a comma separated TLS Cipher suites to use, example: TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384
# NOTE: Cipher configuration is support only till TLS1.2 verison and not possible in TLS1.3
tls_cipher_suites = ""
# Passphrase for encrypted key_file. Supports below formats,
# 1. Passphrase directly - "<passphrase>"
# 2. Passphrase via file - "file:<file-that-contains-passphrase>"
Expand All @@ -374,7 +379,8 @@ make release-docker-multi-arch
basic_auth_username=""
basic_auth_password=""
```

- NOTE: Minimum TLS version is 1.2, tls_cipher_suites can be configured only upto TLS1.2

- Use users' allowlist and blocklist configuration to filter out the users for which the statistics are to be fetched. The user statistics are available in Aerospike 5.6+. To fetch user statistics, the authenticated user must have `user-admin` privilege.
```toml
[Aerospike]
Expand Down
5 changes: 5 additions & 0 deletions configs/ape.toml
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,11 @@
# Root CA to validate client certificates (for mutual TLS)
root_ca = ""

# a comma separated TLS Cipher suites to use, example: TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384
# Golang - refer documentation https://pkg.go.dev/crypto/tls#pkg-constants of golang CipherSuites for TLS >=1.2 (both supported and Insecure)
# NOTE: Cipher configuration is support only till TLS1.2 verison and not possible in TLS1.3
tls_cipher_suites = ""

# Passphrase for encrypted key_file. Supports below formats,
# 1. Passphrase directly - "<passphrase>"
# 2. Passphrase via file - "file:<file-that-contains-passphrase>"
Expand Down
46 changes: 46 additions & 0 deletions internal/pkg/commons/utils.go
Original file line number Diff line number Diff line change
Expand Up @@ -327,3 +327,49 @@ func HandleSignals() {
}
}()
}

// Utility method fetch the support Cipher in the Golang/OS combination
//
// from configures ciphers in ape.toml, filters the matched and valid-ciphers
// Ciphers are configurable only upto TLS 1.2 version
func GetConfiguredCipherSuiteIds() []uint16 {
supportedCipherSuites := loadCipherSuitesList()
log.Trace("Supported CipherSuites ", supportedCipherSuites)

cipherSuiteIds := []uint16{}

if len(strings.Trim(config.Cfg.Agent.TlsCipherSuites, " ")) > 0 {
return cipherSuiteIds
}

log.Trace("Configured Cipher Suite Names : ", config.Cfg.Agent.TlsCipherSuites)
configuredCipherSuites := strings.Split(config.Cfg.Agent.TlsCipherSuites, ",")

for _, cipherName := range configuredCipherSuites {
cipherName = strings.Trim(cipherName, " ")

if len(cipherName) == 0 {
continue
}

id, ok := supportedCipherSuites[strings.ToUpper(cipherName)]
if !ok {
log.Error("Unrecognized TLS Cipher Name, ignoring : ", cipherName)
} else {
cipherSuiteIds = append(cipherSuiteIds, id)
}

}

return cipherSuiteIds
}

func loadCipherSuitesList() map[string]uint16 {
supportedCipherSuites := make(map[string]uint16)
// supported secure cipher suites
for _, suite := range tls.CipherSuites() {
supportedCipherSuites[suite.Name] = suite.ID
}

return supportedCipherSuites
}
1 change: 1 addition & 0 deletions internal/pkg/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ type Config struct {
KeyFile string `toml:"key_file"`
RootCA string `toml:"root_ca"`
KeyFilePassphrase string `toml:"key_file_passphrase"`
TlsCipherSuites string `toml:"tls_cipher_suites"`

BasicAuthUsername string `toml:"basic_auth_username"`
BasicAuthPassword string `toml:"basic_auth_password"`
Expand Down
2 changes: 2 additions & 0 deletions internal/pkg/executors/prometheus_httplistener.go
Original file line number Diff line number Diff line change
Expand Up @@ -112,10 +112,12 @@ func initExporterTLS() *tls.Config {
log.Fatal(err)
}

// Golang docs -- https://pkg.go.dev/crypto/tls#section-documentation
tlsConfig := &tls.Config{
Certificates: serverPool,
MinVersion: tls.VersionTLS12,
CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
CipherSuites: commons.GetConfiguredCipherSuiteIds(),
PreferServerCipherSuites: true,
InsecureSkipVerify: false,
}
Expand Down

0 comments on commit d1574b4

Please sign in to comment.