Skip to content

Commit

Permalink
feat(common.tls): Allow group aliases for ciphersuites (#15570)
Browse files Browse the repository at this point in the history
  • Loading branch information
@srebhan
srebhan authored Jun 27, 2024
1 parent 95a17d9 commit 5119c71
Show file tree
Hide file tree
Showing 8 changed files with 75 additions and 21 deletions.
6 changes: 4 additions & 2 deletions plugins/common/tls/client.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,10 @@
## Minimal TLS version to accept by the client
# tls_min_version = "TLS12"
## List of ciphers to accept, by default all secure ciphers will be accepted
## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values
# tls_cipher_suites = []
## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values.
## Use "all", "secure" and "insecure" to add all support ciphers, secure
## suites or insecure suites respectively.
# tls_cipher_suites = ["secure"]
## Renegotiation method, "never", "once" or "freely"
# tls_renegotiation_method = "never"
## Use TLS but skip chain & host verification
Expand Down
54 changes: 47 additions & 7 deletions plugins/common/tls/utils.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,17 +41,57 @@ func Ciphers() (secure, insecure []string) {
func ParseCiphers(ciphers []string) ([]uint16, error) {
suites := []uint16{}

added := make(map[uint16]bool, len(ciphers))
for _, c := range ciphers {
cipher := strings.ToUpper(c)
id, ok := tlsCipherMapSecure[cipher]
if !ok {
idInsecure, ok := tlsCipherMapInsecure[cipher]
// Handle meta-keywords
switch c {
case "all":
for _, id := range tlsCipherMapInsecure {
if added[id] {
continue
}
suites = append(suites, id)
added[id] = true
}
for _, id := range tlsCipherMapSecure {
if added[id] {
continue
}
suites = append(suites, id)
added[id] = true
}
case "insecure":
for _, id := range tlsCipherMapInsecure {
if added[id] {
continue
}
suites = append(suites, id)
added[id] = true
}
case "secure":
for _, id := range tlsCipherMapSecure {
if added[id] {
continue
}
suites = append(suites, id)
added[id] = true
}
default:
cipher := strings.ToUpper(c)
id, ok := tlsCipherMapSecure[cipher]
if !ok {
return nil, fmt.Errorf("%q %w", cipher, ErrCipherUnsupported)
idInsecure, ok := tlsCipherMapInsecure[cipher]
if !ok {
return nil, fmt.Errorf("%q %w", cipher, ErrCipherUnsupported)
}
id = idInsecure
}
if added[id] {
continue
}
id = idInsecure
suites = append(suites, id)
added[id] = true
}
suites = append(suites, id)
}

return suites, nil
Expand Down
6 changes: 4 additions & 2 deletions plugins/inputs/gnmi/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -108,8 +108,10 @@ details on how to use them.
## Minimal TLS version to accept by the client
# tls_min_version = "TLS12"
## List of ciphers to accept, by default all secure ciphers will be accepted
## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values
# tls_cipher_suites = []
## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values.
## Use "all", "secure" and "insecure" to add all support ciphers, secure
## suites or insecure suites respectively.
# tls_cipher_suites = ["secure"]
## Renegotiation method, "never", "once" or "freely"
# tls_renegotiation_method = "never"
## Use TLS but skip chain & host verification
Expand Down
6 changes: 4 additions & 2 deletions plugins/inputs/gnmi/sample.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,8 +61,10 @@
## Minimal TLS version to accept by the client
# tls_min_version = "TLS12"
## List of ciphers to accept, by default all secure ciphers will be accepted
## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values
# tls_cipher_suites = []
## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values.
## Use "all", "secure" and "insecure" to add all support ciphers, secure
## suites or insecure suites respectively.
# tls_cipher_suites = ["secure"]
## Renegotiation method, "never", "once" or "freely"
# tls_renegotiation_method = "never"
## Use TLS but skip chain & host verification
Expand Down
6 changes: 4 additions & 2 deletions plugins/inputs/http/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,8 +84,10 @@ to use them.
## Minimal TLS version to accept by the client
# tls_min_version = "TLS12"
## List of ciphers to accept, by default all secure ciphers will be accepted
## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values
# tls_cipher_suites = []
## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values.
## Use "all", "secure" and "insecure" to add all support ciphers, secure
## suites or insecure suites respectively.
# tls_cipher_suites = ["secure"]
## Renegotiation method, "never", "once" or "freely"
# tls_renegotiation_method = "never"
## Use TLS but skip chain & host verification
Expand Down
6 changes: 4 additions & 2 deletions plugins/inputs/http/sample.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,8 +55,10 @@
## Minimal TLS version to accept by the client
# tls_min_version = "TLS12"
## List of ciphers to accept, by default all secure ciphers will be accepted
## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values
# tls_cipher_suites = []
## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values.
## Use "all", "secure" and "insecure" to add all support ciphers, secure
## suites or insecure suites respectively.
# tls_cipher_suites = ["secure"]
## Renegotiation method, "never", "once" or "freely"
# tls_renegotiation_method = "never"
## Use TLS but skip chain & host verification
Expand Down
6 changes: 4 additions & 2 deletions plugins/inputs/ldap/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,8 +55,10 @@ See the [CONFIGURATION.md][CONFIGURATION.md] for more details.
## Minimal TLS version to accept by the client
# tls_min_version = "TLS12"
## List of ciphers to accept, by default all secure ciphers will be accepted
## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values
# tls_cipher_suites = []
## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values.
## Use "all", "secure" and "insecure" to add all support ciphers, secure
## suites or insecure suites respectively.
# tls_cipher_suites = ["secure"]
## Renegotiation method, "never", "once" or "freely"
# tls_renegotiation_method = "never"
## Use TLS but skip chain & host verification
Expand Down
6 changes: 4 additions & 2 deletions plugins/inputs/ldap/sample.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,8 +37,10 @@
## Minimal TLS version to accept by the client
# tls_min_version = "TLS12"
## List of ciphers to accept, by default all secure ciphers will be accepted
## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values
# tls_cipher_suites = []
## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values.
## Use "all", "secure" and "insecure" to add all support ciphers, secure
## suites or insecure suites respectively.
# tls_cipher_suites = ["secure"]
## Renegotiation method, "never", "once" or "freely"
# tls_renegotiation_method = "never"
## Use TLS but skip chain & host verification
Expand Down

0 comments on commit 5119c71

Please sign in to comment.