Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Om 193 #122

Merged
merged 10 commits into from
Jun 18, 2024
Merged
Show file tree
Hide file tree
Changes from 8 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 7 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -356,6 +356,11 @@ make release-docker-multi-arch
# Root CA to validate client certificates (for mutual TLS)
root_ca = ""

# Golang - refer documentation https://pkg.go.dev/crypto/tls#pkg-constants of golang CipherSuites for TLS >=1.2 (both supported and Insecure)
# a comma separated TLS Cipher suites to use, example: TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384
# NOTE: Cipher configuration is support only till TLS1.2 verison and not possible in TLS1.3
tls_cipher_suites = ""

# Passphrase for encrypted key_file. Supports below formats,
# 1. Passphrase directly - "<passphrase>"
# 2. Passphrase via file - "file:<file-that-contains-passphrase>"
Expand All @@ -374,7 +379,8 @@ make release-docker-multi-arch
basic_auth_username=""
basic_auth_password=""
```

- NOTE: Minimum TLS version is 1.2, tls_cipher_suites can be configured only upto TLS1.2

- Use users' allowlist and blocklist configuration to filter out the users for which the statistics are to be fetched. The user statistics are available in Aerospike 5.6+. To fetch user statistics, the authenticated user must have `user-admin` privilege.
```toml
[Aerospike]
Expand Down
5 changes: 5 additions & 0 deletions configs/ape.toml
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,11 @@
# Root CA to validate client certificates (for mutual TLS)
root_ca = ""

# a comma separated TLS Cipher suites to use, example: TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384
# Golang - refer documentation https://pkg.go.dev/crypto/tls#pkg-constants of golang CipherSuites for TLS >=1.2 (both supported and Insecure)
# NOTE: Cipher configuration is support only till TLS1.2 verison and not possible in TLS1.3
tls_cipher_suites = ""

# Passphrase for encrypted key_file. Supports below formats,
# 1. Passphrase directly - "<passphrase>"
# 2. Passphrase via file - "file:<file-that-contains-passphrase>"
Expand Down
46 changes: 46 additions & 0 deletions internal/pkg/commons/utils.go
Original file line number Diff line number Diff line change
Expand Up @@ -327,3 +327,49 @@ func HandleSignals() {
}
}()
}

// Utility method fetch the support Cipher in the Golang/OS combination
//
// from configures ciphers in ape.toml, filters the matched and valid-ciphers
// Ciphers are configurable only upto TLS 1.2 version
func GetConfiguredCipherSuiteIds() []uint16 {
supportedCipherSuites := loadCipherSuitesList()
log.Trace("Supported CipherSuites ", supportedCipherSuites)

cipherSuiteIds := []uint16{}

if len(strings.Trim(config.Cfg.Agent.TlsCipherSuites, " ")) > 0 {
return cipherSuiteIds
}

log.Trace("Configured Cipher Suite Names : ", config.Cfg.Agent.TlsCipherSuites)
configuredCipherSuites := strings.Split(config.Cfg.Agent.TlsCipherSuites, ",")

for _, cipherName := range configuredCipherSuites {
cipherName = strings.Trim(cipherName, " ")

if len(cipherName) == 0 {
continue
}

id, ok := supportedCipherSuites[strings.ToUpper(cipherName)]
if !ok {
log.Error("Unrecognized TLS Cipher Name, ignoring : ", cipherName)
} else {
cipherSuiteIds = append(cipherSuiteIds, id)
}

}

return cipherSuiteIds
}

func loadCipherSuitesList() map[string]uint16 {
supportedCipherSuites := make(map[string]uint16)
// supported secure cipher suites
for _, suite := range tls.CipherSuites() {
supportedCipherSuites[suite.Name] = suite.ID
}

return supportedCipherSuites
}
1 change: 1 addition & 0 deletions internal/pkg/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ type Config struct {
KeyFile string `toml:"key_file"`
RootCA string `toml:"root_ca"`
KeyFilePassphrase string `toml:"key_file_passphrase"`
TlsCipherSuites string `toml:"tls_cipher_suites"`

BasicAuthUsername string `toml:"basic_auth_username"`
BasicAuthPassword string `toml:"basic_auth_password"`
Expand Down
12 changes: 9 additions & 3 deletions internal/pkg/executors/prometheus_httplistener.go
Original file line number Diff line number Diff line change
Expand Up @@ -112,14 +112,20 @@ func initExporterTLS() *tls.Config {
log.Fatal(err)
}

// Golang docs -- https://pkg.go.dev/crypto/tls#section-documentation
tlsConfig := &tls.Config{
Certificates: serverPool,
MinVersion: tls.VersionTLS12,
CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
Certificates: serverPool,
MinVersion: tls.VersionTLS12,
// MaxVersion: tls.VersionTLS12,
mphanias marked this conversation as resolved.
Show resolved Hide resolved
CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
// CipherSuites: []uint16{},
CipherSuites: commons.GetConfiguredCipherSuiteIds(),
PreferServerCipherSuites: true,
InsecureSkipVerify: false,
}

// tls.CipherSuiteName()

// if root CA provided, client validation is enabled (mutual TLS)
if len(config.Cfg.Agent.RootCA) > 0 {
caPool, err := commons.LoadCACert(config.Cfg.Agent.RootCA)
Expand Down
Loading