From 5119c7182fde2de46e22a1dc4382a0eeca6650cb Mon Sep 17 00:00:00 2001 From: Sven Rebhan <36194019+srebhan@users.noreply.github.com> Date: Thu, 27 Jun 2024 15:01:39 -0400 Subject: [PATCH] feat(common.tls): Allow group aliases for ciphersuites (#15570) --- plugins/common/tls/client.conf | 6 ++-- plugins/common/tls/utils.go | 54 ++++++++++++++++++++++++++++----- plugins/inputs/gnmi/README.md | 6 ++-- plugins/inputs/gnmi/sample.conf | 6 ++-- plugins/inputs/http/README.md | 6 ++-- plugins/inputs/http/sample.conf | 6 ++-- plugins/inputs/ldap/README.md | 6 ++-- plugins/inputs/ldap/sample.conf | 6 ++-- 8 files changed, 75 insertions(+), 21 deletions(-) diff --git a/plugins/common/tls/client.conf b/plugins/common/tls/client.conf index 46bc8d7a27eb8..ad43aa250b16d 100644 --- a/plugins/common/tls/client.conf +++ b/plugins/common/tls/client.conf @@ -14,8 +14,10 @@ ## Minimal TLS version to accept by the client # tls_min_version = "TLS12" ## List of ciphers to accept, by default all secure ciphers will be accepted - ## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values - # tls_cipher_suites = [] + ## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values. + ## Use "all", "secure" and "insecure" to add all support ciphers, secure + ## suites or insecure suites respectively. + # tls_cipher_suites = ["secure"] ## Renegotiation method, "never", "once" or "freely" # tls_renegotiation_method = "never" ## Use TLS but skip chain & host verification diff --git a/plugins/common/tls/utils.go b/plugins/common/tls/utils.go index 6fbdeb96e0268..8d4dc89bb84f1 100644 --- a/plugins/common/tls/utils.go +++ b/plugins/common/tls/utils.go @@ -41,17 +41,57 @@ func Ciphers() (secure, insecure []string) { func ParseCiphers(ciphers []string) ([]uint16, error) { suites := []uint16{} + added := make(map[uint16]bool, len(ciphers)) for _, c := range ciphers { - cipher := strings.ToUpper(c) - id, ok := tlsCipherMapSecure[cipher] - if !ok { - idInsecure, ok := tlsCipherMapInsecure[cipher] + // Handle meta-keywords + switch c { + case "all": + for _, id := range tlsCipherMapInsecure { + if added[id] { + continue + } + suites = append(suites, id) + added[id] = true + } + for _, id := range tlsCipherMapSecure { + if added[id] { + continue + } + suites = append(suites, id) + added[id] = true + } + case "insecure": + for _, id := range tlsCipherMapInsecure { + if added[id] { + continue + } + suites = append(suites, id) + added[id] = true + } + case "secure": + for _, id := range tlsCipherMapSecure { + if added[id] { + continue + } + suites = append(suites, id) + added[id] = true + } + default: + cipher := strings.ToUpper(c) + id, ok := tlsCipherMapSecure[cipher] if !ok { - return nil, fmt.Errorf("%q %w", cipher, ErrCipherUnsupported) + idInsecure, ok := tlsCipherMapInsecure[cipher] + if !ok { + return nil, fmt.Errorf("%q %w", cipher, ErrCipherUnsupported) + } + id = idInsecure + } + if added[id] { + continue } - id = idInsecure + suites = append(suites, id) + added[id] = true } - suites = append(suites, id) } return suites, nil diff --git a/plugins/inputs/gnmi/README.md b/plugins/inputs/gnmi/README.md index 237da33c1a306..5847e63c322cd 100644 --- a/plugins/inputs/gnmi/README.md +++ b/plugins/inputs/gnmi/README.md @@ -108,8 +108,10 @@ details on how to use them. ## Minimal TLS version to accept by the client # tls_min_version = "TLS12" ## List of ciphers to accept, by default all secure ciphers will be accepted - ## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values - # tls_cipher_suites = [] + ## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values. + ## Use "all", "secure" and "insecure" to add all support ciphers, secure + ## suites or insecure suites respectively. + # tls_cipher_suites = ["secure"] ## Renegotiation method, "never", "once" or "freely" # tls_renegotiation_method = "never" ## Use TLS but skip chain & host verification diff --git a/plugins/inputs/gnmi/sample.conf b/plugins/inputs/gnmi/sample.conf index a1dcf5eec0b2e..ac178431d2e6a 100644 --- a/plugins/inputs/gnmi/sample.conf +++ b/plugins/inputs/gnmi/sample.conf @@ -61,8 +61,10 @@ ## Minimal TLS version to accept by the client # tls_min_version = "TLS12" ## List of ciphers to accept, by default all secure ciphers will be accepted - ## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values - # tls_cipher_suites = [] + ## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values. + ## Use "all", "secure" and "insecure" to add all support ciphers, secure + ## suites or insecure suites respectively. + # tls_cipher_suites = ["secure"] ## Renegotiation method, "never", "once" or "freely" # tls_renegotiation_method = "never" ## Use TLS but skip chain & host verification diff --git a/plugins/inputs/http/README.md b/plugins/inputs/http/README.md index 213ec7d7730be..a245ae3df4d24 100644 --- a/plugins/inputs/http/README.md +++ b/plugins/inputs/http/README.md @@ -84,8 +84,10 @@ to use them. ## Minimal TLS version to accept by the client # tls_min_version = "TLS12" ## List of ciphers to accept, by default all secure ciphers will be accepted - ## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values - # tls_cipher_suites = [] + ## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values. + ## Use "all", "secure" and "insecure" to add all support ciphers, secure + ## suites or insecure suites respectively. + # tls_cipher_suites = ["secure"] ## Renegotiation method, "never", "once" or "freely" # tls_renegotiation_method = "never" ## Use TLS but skip chain & host verification diff --git a/plugins/inputs/http/sample.conf b/plugins/inputs/http/sample.conf index e55a7a6770a28..fcff28090bb17 100644 --- a/plugins/inputs/http/sample.conf +++ b/plugins/inputs/http/sample.conf @@ -55,8 +55,10 @@ ## Minimal TLS version to accept by the client # tls_min_version = "TLS12" ## List of ciphers to accept, by default all secure ciphers will be accepted - ## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values - # tls_cipher_suites = [] + ## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values. + ## Use "all", "secure" and "insecure" to add all support ciphers, secure + ## suites or insecure suites respectively. + # tls_cipher_suites = ["secure"] ## Renegotiation method, "never", "once" or "freely" # tls_renegotiation_method = "never" ## Use TLS but skip chain & host verification diff --git a/plugins/inputs/ldap/README.md b/plugins/inputs/ldap/README.md index 9ef900c9eafdc..68c740ddee822 100644 --- a/plugins/inputs/ldap/README.md +++ b/plugins/inputs/ldap/README.md @@ -55,8 +55,10 @@ See the [CONFIGURATION.md][CONFIGURATION.md] for more details. ## Minimal TLS version to accept by the client # tls_min_version = "TLS12" ## List of ciphers to accept, by default all secure ciphers will be accepted - ## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values - # tls_cipher_suites = [] + ## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values. + ## Use "all", "secure" and "insecure" to add all support ciphers, secure + ## suites or insecure suites respectively. + # tls_cipher_suites = ["secure"] ## Renegotiation method, "never", "once" or "freely" # tls_renegotiation_method = "never" ## Use TLS but skip chain & host verification diff --git a/plugins/inputs/ldap/sample.conf b/plugins/inputs/ldap/sample.conf index 483c4c59c6a9c..b31c9b6c0a87e 100644 --- a/plugins/inputs/ldap/sample.conf +++ b/plugins/inputs/ldap/sample.conf @@ -37,8 +37,10 @@ ## Minimal TLS version to accept by the client # tls_min_version = "TLS12" ## List of ciphers to accept, by default all secure ciphers will be accepted - ## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values - # tls_cipher_suites = [] + ## See https://pkg.go.dev/crypto/tls#pkg-constants for supported values. + ## Use "all", "secure" and "insecure" to add all support ciphers, secure + ## suites or insecure suites respectively. + # tls_cipher_suites = ["secure"] ## Renegotiation method, "never", "once" or "freely" # tls_renegotiation_method = "never" ## Use TLS but skip chain & host verification