From 13862f4e22382c22f20ab6fadab0aac1d7f7d9b9 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sun, 2 Jul 2017 00:14:05 +0200 Subject: initial work to make tls parameter configurable --- src/daq/s5proxy/sample.json | 6 +++-- src/daq/s5proxy/src/s5proxy/config.go | 49 ++++++++++++++++++++++++++++++++--- src/daq/s5proxy/src/s5proxy/proxy.go | 16 +----------- 3 files changed, 51 insertions(+), 20 deletions(-) diff --git a/src/daq/s5proxy/sample.json b/src/daq/s5proxy/sample.json index 3b26879..8ec6dc1 100644 --- a/src/daq/s5proxy/sample.json +++ b/src/daq/s5proxy/sample.json @@ -2,8 +2,10 @@ "listen": ":8443", "protocol": "http+https", "redirect2https": 301, - "cert": "fullchain.pem", - "key": "private.key", + "tls": { + "certificate": "fullchain.pem", + "certificate-key": "private.key" + }, "connect": "http://emc01.spreadspace.org:8000", "request_header": [ { "op": "del", "header": "X-Forwarded-For" } diff --git a/src/daq/s5proxy/src/s5proxy/config.go b/src/daq/s5proxy/src/s5proxy/config.go index 9bd5b3e..d8c61e0 100644 --- a/src/daq/s5proxy/src/s5proxy/config.go +++ b/src/daq/s5proxy/src/s5proxy/config.go @@ -33,6 +33,7 @@ package main import ( + "crypto/tls" "encoding/json" "errors" "fmt" @@ -170,6 +171,49 @@ func (h *HeaderOperation) Parse() (err error) { return nil } +type TLSProtocolVersion uint16 + +type TLSCipher uint16 + +type TLSCurve tls.CurveID + +type TLSSessionTicketKey [32]byte + +type TLSConfig struct { + CertFile string `json:"certificate"` + KeyFile string `json:"certificate-key"` + MinVersion TLSProtocolVersion `json:"min-protocol-version"` + MaxVersion TLSProtocolVersion `json:"max-protocol-version"` + CipherSuites []TLSCipher `json:"ciphers"` + PreferServerCipherSuites bool `json:"prefer-server-ciphers"` + CurvePreferences []TLSCurve `json:"ecdh-curves"` + SessionTicketsDisabled bool `json:"session-tickets"` + SessionTicketKey TLSSessionTicketKey `json:"session-ticket-key"` +} + +func (t TLSConfig) ToGoTLSConfig() (*tls.Config, error) { + cert, err := tls.LoadX509KeyPair(t.CertFile, t.KeyFile) + if err != nil { + return nil, err + } + + // TODO: generate cfg from t + cfg := &tls.Config{ + Certificates: []tls.Certificate{cert}, + MinVersion: tls.VersionTLS10, + CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256}, + PreferServerCipherSuites: true, + CipherSuites: []uint16{ + tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + tls.TLS_RSA_WITH_AES_256_GCM_SHA384, + tls.TLS_RSA_WITH_AES_256_CBC_SHA, + }, + } + + return cfg, nil +} + type SFiveDuration int64 func (d *SFiveDuration) UnmarshalText(data []byte) error { @@ -198,8 +242,7 @@ type Config struct { Protocol ProtocolType `json:"protocol"` Redirect2HTTPS RedirectCode `json:"redirect2https"` ConnectAddr string `json:"connect"` - CertFile string `json:"cert"` - KeyFile string `json:"key"` + TLS TLSConfig `json:"tls"` RequestHeader []HeaderOperation `json:"request_header"` ResponseHeader []HeaderOperation `json:"response_header"` SFive SFiveConf `json:"sfive"` @@ -232,7 +275,7 @@ func readConfig(configfile string) (conf *Config, err error) { } if conf.Protocol == HTTPAndHTTPS || conf.Protocol == HTTPSOnly { - if conf.CertFile == "" || conf.KeyFile == "" { + if conf.TLS.CertFile == "" || conf.TLS.KeyFile == "" { return nil, errors.New("HTTPs is enabled but no certificate and/or key file is supplied") } } diff --git a/src/daq/s5proxy/src/s5proxy/proxy.go b/src/daq/s5proxy/src/s5proxy/proxy.go index dec8271..3bb0afb 100644 --- a/src/daq/s5proxy/src/s5proxy/proxy.go +++ b/src/daq/s5proxy/src/s5proxy/proxy.go @@ -181,25 +181,11 @@ func (p *Proxy) RunHTTP(l net.Listener) error { } func (p *Proxy) RunHTTPS(l net.Listener) error { - cert, err := tls.LoadX509KeyPair(p.conf.CertFile, p.conf.KeyFile) + cfg, err := p.conf.TLS.ToGoTLSConfig() if err != nil { return err } - // TODO: make this configurable - cfg := &tls.Config{ - Certificates: []tls.Certificate{cert}, - MinVersion: tls.VersionTLS10, - CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256}, - PreferServerCipherSuites: true, - CipherSuites: []uint16{ - tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, - tls.TLS_RSA_WITH_AES_256_GCM_SHA384, - tls.TLS_RSA_WITH_AES_256_CBC_SHA, - }, - } - tlsL := tls.NewListener(l, cfg) return p.srv.Serve(tlsL) } -- cgit v1.2.3