Thanks to visit codestin.com
Credit goes to github.com

Skip to content

feat: add configurable cipher suites for tls listening #10505

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 13 commits into from
Nov 7, 2023
Merged

feat: add configurable cipher suites for tls listening #10505

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
de67dbc
feat: add configurable cipher suites for tls listening
Emyrk Nov 2, 2023
a8c9b76
add unit tests
Emyrk Nov 2, 2023
f9c139a
Add tls options for ciphers
Emyrk Nov 2, 2023
54b64f9
plumb through deployment options for ciphers
Emyrk Nov 2, 2023
636d31c
tls.VersionName is go 1.21, copy the function
Emyrk Nov 3, 2023
284653f
update golden files
Emyrk Nov 3, 2023
f4a679e
Nolint
Emyrk Nov 3, 2023
9ffabc9
fixup! Nolint
Emyrk Nov 3, 2023
fc03499
Improve error message
Emyrk Nov 3, 2023
17029bf
fixup! Improve error message
Emyrk Nov 3, 2023
c1584bf
update comment
Emyrk Nov 3, 2023
cab8c3b
Merge remote-tracking branch 'origin/main' into stevenmasley/choose_c…
Emyrk Nov 3, 2023
d0353b0
Fix typo
Emyrk Nov 7, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
update golden files
  • Loading branch information
@Emyrk
Emyrk committed Nov 3, 2023
commit 284653fcfa6ee95bafde5d8f0cd7c5b7c76b51ff
9 changes: 9 additions & 0 deletions cli/testdata/coder_server_--help.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -249,12 +249,21 @@ can safely ignore these settings.
--tls-address host:port, $CODER_TLS_ADDRESS (default: 127.0.0.1:3443)
HTTPS bind address of the server.

--tls-allow-insecure-ciphers bool, $CODER_TLS_ALLOW_INSECURE_CIPHERS (default: false)
By default, only ciphers marked as 'secure' are allowed to be used.
See
https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L82-L95.

--tls-cert-file string-array, $CODER_TLS_CERT_FILE
Path to each certificate for TLS. It requires a PEM-encoded file. To
configure the listener to use a CA certificate, concatenate the
primary certificate and the CA certificate together. The primary
certificate should appear first in the combined file.

--tls-ciphers string-array, $CODER_TLS_CIPHERS
Specify specific TLS ciphers that allowed to be used. See
https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L53-L75.

--tls-client-auth string, $CODER_TLS_CLIENT_AUTH (default: none)
Policy the server will follow for TLS Client Authentication. Accepted
values are "none", "request", "require-any", "verify-if-given", or
Expand Down
8 changes: 8 additions & 0 deletions cli/testdata/server-config.yaml.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,14 @@ networking:
# Path to key for client TLS authentication. It requires a PEM-encoded file.
# (default: <unset>, type: string)
clientKeyFile: ""
# Specify specific TLS ciphers that allowed to be used. See
# https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L53-L75.
# (default: <unset>, type: string-array)
tlsCiphers: []
# By default, only ciphers marked as 'secure' are allowed to be used. See
# https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L82-L95.
# (default: false, type: bool)
tlsAllowInsecureCiphers: false
# Controls if the 'Strict-Transport-Security' header is set on all static file
# responses. This header should only be set if the server is accessed via HTTPS.
# This value is the MaxAge in seconds of the header.
Expand Down
9 changes: 9 additions & 0 deletions enterprise/cli/testdata/coder_server_--help.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -250,12 +250,21 @@ can safely ignore these settings.
--tls-address host:port, $CODER_TLS_ADDRESS (default: 127.0.0.1:3443)
HTTPS bind address of the server.

--tls-allow-insecure-ciphers bool, $CODER_TLS_ALLOW_INSECURE_CIPHERS (default: false)
By default, only ciphers marked as 'secure' are allowed to be used.
See
https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L82-L95.

--tls-cert-file string-array, $CODER_TLS_CERT_FILE
Path to each certificate for TLS. It requires a PEM-encoded file. To
configure the listener to use a CA certificate, concatenate the
primary certificate and the CA certificate together. The primary
certificate should appear first in the combined file.

--tls-ciphers string-array, $CODER_TLS_CIPHERS
Specify specific TLS ciphers that allowed to be used. See
https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L53-L75.

--tls-client-auth string, $CODER_TLS_CLIENT_AUTH (default: none)
Policy the server will follow for TLS Client Authentication. Accepted
values are "none", "request", "require-any", "verify-if-given", or
Expand Down