From c4ee9cafd96b9140ab90093954ee5ec616bb59e0 Mon Sep 17 00:00:00 2001 From: Philip O'Toole Date: Sun, 31 Jan 2021 10:49:50 -0500 Subject: [PATCH 1/2] Disable TLS v1.0 and v1.1 by default --- cmd/rqlited/main.go | 3 +++ http/service.go | 12 ++++++++++-- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/cmd/rqlited/main.go b/cmd/rqlited/main.go index 1b8d2378..700b6027 100644 --- a/cmd/rqlited/main.go +++ b/cmd/rqlited/main.go @@ -46,6 +46,7 @@ var ( var httpAddr string var httpAdv string +var tls1011 bool var authFile string var x509CACert string var x509Cert string @@ -93,6 +94,7 @@ func init() { flag.StringVar(&nodeID, "node-id", "", "Unique name for node. If not set, set to hostname") flag.StringVar(&httpAddr, "http-addr", "localhost:4001", "HTTP server bind address. For HTTPS, set X.509 cert and key") flag.StringVar(&httpAdv, "http-adv-addr", "", "Advertised HTTP address. If not set, same as HTTP server") + flag.BoolVar(&tls1011, "tls1011", false, "Support deprecated TLS versions 1.0 and 1.1") flag.StringVar(&x509CACert, "http-ca-cert", "", "Path to root X.509 certificate for HTTP endpoint") flag.StringVar(&x509Cert, "http-cert", "", "Path to X.509 certificate for HTTP endpoint") flag.StringVar(&x509Key, "http-key", "", "Path to X.509 private key for HTTP endpoint") @@ -412,6 +414,7 @@ func startHTTPService(str *store.Store) error { s.CertFile = x509Cert s.KeyFile = x509Key + s.TLS1011 = tls1011 s.Expvar = expvar s.Pprof = pprofEnabled s.BuildInfo = map[string]interface{}{ diff --git a/http/service.go b/http/service.go index 794a7d8f..8cb80039 100644 --- a/http/service.go +++ b/http/service.go @@ -164,6 +164,7 @@ type Service struct { CACertFile string // Path to root X.509 certificate. CertFile string // Path to SSL certificate. KeyFile string // Path to SSL private key. + TLS1011 bool // Whether older, deprecated TLS should be supported. credentialStore CredentialStore @@ -202,7 +203,7 @@ func (s *Service) Start() error { return err } } else { - config, err := createTLSConfig(s.CertFile, s.KeyFile, s.CACertFile) + config, err := createTLSConfig(s.CertFile, s.KeyFile, s.CACertFile, s.TLS1011) if err != nil { return err } @@ -896,10 +897,17 @@ func requestQueries(r *http.Request) ([]*command.Statement, error) { } // createTLSConfig returns a TLS config from the given cert and key. -func createTLSConfig(certFile, keyFile, caCertFile string) (*tls.Config, error) { +func createTLSConfig(certFile, keyFile, caCertFile string, tls1011 bool) (*tls.Config, error) { var err error + + var minTls = uint16(tls.VersionTLS12) + if tls1011 { + minTls = tls.VersionTLS10 + } + config := &tls.Config{ NextProtos: []string{"h2", "http/1.1"}, + MinVersion: minTls, } config.Certificates = make([]tls.Certificate, 1) config.Certificates[0], err = tls.LoadX509KeyPair(certFile, keyFile) From 11d6731e596c747056867c6643411123583503bf Mon Sep 17 00:00:00 2001 From: Philip O'Toole Date: Sun, 31 Jan 2021 10:51:12 -0500 Subject: [PATCH 2/2] Update CHANGELOG --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ad91b341..4a28b8aa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ - [PR #738](https://github.com/rqlite/rqlite/pull/738): Don't use temp file when snapshotting database - [PR #738](https://github.com/rqlite/rqlite/pull/738): Switch to rqlite fork of mattn/go-sqlite3. The SQLite C code remains unchanged. - [PR #741](https://github.com/rqlite/rqlite/pull/741): Tighten up Store-level locking. +- [PR #745](https://github.com/rqlite/rqlite/pull/745): TLS version 1.0 and 1.1 disabled by default. Fixes [issue #743](https://github.com/rqlite/rqlite/issues/743). ## 5.9.0 (January 24th 2021) ### New features