Add support for tls_max_version in listener config. (hashicorp#11226)

g-psantos · Mar 29, 2021 · c15a66d · c15a66d
1 parent 1e27062
commit c15a66d
Show file tree

Hide file tree

Showing 6 changed files with 42 additions and 6 deletions.
diff --git a/changelog/11226.txt b/changelog/11226.txt
@@ -0,0 +1,3 @@
+```changelog:enhancement
+core: Add tls_max_version listener config option.
+```
diff --git a/command/server/config_test_helpers.go b/command/server/config_test_helpers.go
@@ -707,6 +707,7 @@ listener "tcp" {
  tls_key_file = "./certs/server.key"
  tls_client_ca_file = "./certs/rootca.crt"
  tls_min_version = "tls12"
+ tls_max_version = "tls13"
  tls_require_and_verify_client_cert = true
  tls_disable_client_certs = true
 }`))
@@ -737,6 +738,7 @@ listener "tcp" {
  TLSKeyFile: "./certs/server.key",
  TLSClientCAFile: "./certs/rootca.crt",
  TLSMinVersion: "tls12",
+ TLSMaxVersion: "tls13",
  TLSRequireAndVerifyClientCert: true,
  TLSDisableClientCerts: true,
  },

diff --git a/command/server/listener_tcp_test.go b/command/server/listener_tcp_test.go
@@ -28,7 +28,7 @@ func TestTCPListener(t *testing.T) {
  return net.Dial("tcp", ln.Addr().String())
  }
 
- testListenerImpl(t, ln, connFn, "")
+ testListenerImpl(t, ln, connFn, "", 0)
 }
 
 // TestTCPListener_tls tests TLS generally
@@ -86,7 +86,7 @@ func TestTCPListener_tls(t *testing.T) {
  }
  }
 
- testListenerImpl(t, ln, connFn(true), "foo.example.com")
+ testListenerImpl(t, ln, connFn(true), "foo.example.com", 0)
 
  ln, _, _, err = tcpListenerFactory(&configutil.Listener{
  Address: "127.0.0.1:0",
@@ -111,7 +111,7 @@ func TestTCPListener_tls(t *testing.T) {
  t.Fatalf("err: %s", err)
  }
 
- testListenerImpl(t, ln, connFn(false), "foo.example.com")
+ testListenerImpl(t, ln, connFn(false), "foo.example.com", 0)
 }
 
 func TestTCPListener_tls13(t *testing.T) {
@@ -169,7 +169,7 @@ func TestTCPListener_tls13(t *testing.T) {
  }
  }
 
- testListenerImpl(t, ln, connFn(true), "foo.example.com")
+ testListenerImpl(t, ln, connFn(true), "foo.example.com", tls.VersionTLS13)
 
  ln, _, _, err = tcpListenerFactory(&configutil.Listener{
  Address: "127.0.0.1:0",
@@ -196,5 +196,19 @@ func TestTCPListener_tls13(t *testing.T) {
  t.Fatalf("err: %s", err)
  }
 
- testListenerImpl(t, ln, connFn(false), "foo.example.com")
+ testListenerImpl(t, ln, connFn(false), "foo.example.com", tls.VersionTLS13)
+
+ ln, _, _, err = tcpListenerFactory(&configutil.Listener{
+ Address: "127.0.0.1:0",
+ TLSCertFile: wd + "reload_foo.pem",
+ TLSKeyFile: wd + "reload_foo.key",
+ TLSDisableClientCerts: true,
+ TLSClientCAFile: wd + "reload_ca.pem",
+ TLSMaxVersion: "tls12",
+ }, nil, cli.NewMockUi())
+ if err != nil {
+ t.Fatalf("err: %s", err)
+ }
+
+ testListenerImpl(t, ln, connFn(false), "foo.example.com", tls.VersionTLS12)
 }
diff --git a/command/server/listener_test.go b/command/server/listener_test.go
@@ -10,7 +10,7 @@ import (
 
 type testListenerConnFn func(net.Listener) (net.Conn, error)
 
-func testListenerImpl(t *testing.T, ln net.Listener, connFn testListenerConnFn, certName string) {
+func testListenerImpl(t *testing.T, ln net.Listener, connFn testListenerConnFn, certName string, expectedVersion uint16) {
  serverCh := make(chan net.Conn, 1)
  go func() {
  server, err := ln.Accept()
@@ -31,6 +31,9 @@ func testListenerImpl(t *testing.T, ln net.Listener, connFn testListenerConnFn,
 
  if certName != "" {
  tlsConn := client.(*tls.Conn)
+ if expectedVersion != 0 && tlsConn.ConnectionState().Version != expectedVersion {
+ t.Fatalf("expected version %d, got %d", expectedVersion, tlsConn.ConnectionState().Version)
+ }
  if len(tlsConn.ConnectionState().PeerCertificates) != 1 {
  t.Fatalf("err: number of certs too long")
  }

diff --git a/internalshared/configutil/listener.go b/internalshared/configutil/listener.go
@@ -43,6 +43,7 @@ type Listener struct {
  TLSCertFile string `hcl:"tls_cert_file"`
  TLSKeyFile string `hcl:"tls_key_file"`
  TLSMinVersion string `hcl:"tls_min_version"`
+ TLSMaxVersion string `hcl:"tls_max_version"`
  TLSCipherSuites []uint16 `hcl:"-"`
  TLSCipherSuitesRaw string `hcl:"tls_cipher_suites"`
  TLSPreferServerCipherSuites bool `hcl:"-"`

diff --git a/internalshared/listenerutil/listener.go b/internalshared/listenerutil/listener.go
@@ -111,12 +111,25 @@ PASSPHRASECORRECT:
  l.TLSMinVersion = "tls12"
  }
 
+ if l.TLSMaxVersion == "" {
+ l.TLSMaxVersion = "tls13"
+ }
+
  var ok bool
  tlsConf.MinVersion, ok = tlsutil.TLSLookup[l.TLSMinVersion]
  if !ok {
  return nil, nil, fmt.Errorf("'tls_min_version' value %q not supported, please specify one of [tls10,tls11,tls12,tls13]", l.TLSMinVersion)
  }
 
+ tlsConf.MaxVersion, ok = tlsutil.TLSLookup[l.TLSMaxVersion]
+ if !ok {
+ return nil, nil, fmt.Errorf("'tls_max_version' value %q not supported, please specify one of [tls10,tls11,tls12,tls13]", l.TLSMaxVersion)
+ }
+
+ if tlsConf.MaxVersion < tlsConf.MinVersion {
+ return nil, nil, fmt.Errorf("'tls_max_version' must be greater than or equal to 'tls_min_version'")
+ }
+
  if len(l.TLSCipherSuites) > 0 {
  // HTTP/2 with TLS 1.2 blacklists several cipher suites.
  // https://tools.ietf.org/html/rfc7540#appendix-A