fluidB
/
fluidb-old
1
0
Fork 0
Code Pull Requests Activity

Disable TLS v1.0 and v1.1 by default

Browse Source
master
Philip O'Toole 4 years ago
parent 21214f6b0e
commit c4ee9cafd9
2 changed files with 13 additions and 2 deletions
Show Stats Download Patch File Download Diff File

3
cmd/rqlited/main.go
Unescape Escape View File

@ -46,6 +46,7 @@ var (
var httpAddr string var httpAddr string
var httpAdv string var httpAdv string
var tls1011 bool
var authFile string var authFile string
var x509CACert string var x509CACert string
var x509Cert string var x509Cert string
@ -93,6 +94,7 @@ func init() {
flag.StringVar(&nodeID, "node-id", "", "Unique name for node. If not set, set to hostname") flag.StringVar(&nodeID, "node-id", "", "Unique name for node. If not set, set to hostname")
flag.StringVar(&httpAddr, "http-addr", "localhost:4001", "HTTP server bind address. For HTTPS, set X.509 cert and key") flag.StringVar(&httpAddr, "http-addr", "localhost:4001", "HTTP server bind address. For HTTPS, set X.509 cert and key")
flag.StringVar(&httpAdv, "http-adv-addr", "", "Advertised HTTP address. If not set, same as HTTP server") flag.StringVar(&httpAdv, "http-adv-addr", "", "Advertised HTTP address. If not set, same as HTTP server")
flag.BoolVar(&tls1011, "tls1011", false, "Support deprecated TLS versions 1.0 and 1.1")
flag.StringVar(&x509CACert, "http-ca-cert", "", "Path to root X.509 certificate for HTTP endpoint") flag.StringVar(&x509CACert, "http-ca-cert", "", "Path to root X.509 certificate for HTTP endpoint")
flag.StringVar(&x509Cert, "http-cert", "", "Path to X.509 certificate for HTTP endpoint") flag.StringVar(&x509Cert, "http-cert", "", "Path to X.509 certificate for HTTP endpoint")
flag.StringVar(&x509Key, "http-key", "", "Path to X.509 private key for HTTP endpoint") flag.StringVar(&x509Key, "http-key", "", "Path to X.509 private key for HTTP endpoint")
@ -412,6 +414,7 @@ func startHTTPService(str *store.Store) error {
s.CertFile = x509Cert s.CertFile = x509Cert
s.KeyFile = x509Key s.KeyFile = x509Key
s.TLS1011 = tls1011
s.Expvar = expvar s.Expvar = expvar
s.Pprof = pprofEnabled s.Pprof = pprofEnabled
s.BuildInfo = map[string]interface{}{ s.BuildInfo = map[string]interface{}{

12
http/service.go
Unescape Escape View File

@ -164,6 +164,7 @@ type Service struct {
CACertFile string // Path to root X.509 certificate. CACertFile string // Path to root X.509 certificate.
CertFile string // Path to SSL certificate. CertFile string // Path to SSL certificate.
KeyFile string // Path to SSL private key. KeyFile string // Path to SSL private key.
TLS1011 bool // Whether older, deprecated TLS should be supported.
credentialStore CredentialStore credentialStore CredentialStore
@ -202,7 +203,7 @@ func (s *Service) Start() error {
return err return err
} }
} else { } else {
config, err := createTLSConfig(s.CertFile, s.KeyFile, s.CACertFile) config, err := createTLSConfig(s.CertFile, s.KeyFile, s.CACertFile, s.TLS1011)
if err != nil { if err != nil {
return err return err
} }
@ -896,10 +897,17 @@ func requestQueries(r *http.Request) ([]*command.Statement, error) {
} }
// createTLSConfig returns a TLS config from the given cert and key. // createTLSConfig returns a TLS config from the given cert and key.
func createTLSConfig(certFile, keyFile, caCertFile string) (*tls.Config, error) { func createTLSConfig(certFile, keyFile, caCertFile string, tls1011 bool) (*tls.Config, error) {
var err error var err error
var minTls = uint16(tls.VersionTLS12)
if tls1011 {
minTls = tls.VersionTLS10
}
config := &tls.Config{ config := &tls.Config{
NextProtos: []string{"h2", "http/1.1"}, NextProtos: []string{"h2", "http/1.1"},
MinVersion: minTls,
} }
config.Certificates = make([]tls.Certificate, 1) config.Certificates = make([]tls.Certificate, 1)
config.Certificates[0], err = tls.LoadX509KeyPair(certFile, keyFile) config.Certificates[0], err = tls.LoadX509KeyPair(certFile, keyFile)

Write Preview
Loading…
Cancel
Save