← Back to branch summary

~nskaggs/+junk/xenial-test

« back to all changes in this revision

Viewing changes to src/github.com/juju/utils/tls.go

  • Committer: Nicholas Skaggs
  • Date: 2016-10-24 20:56:05 UTC
  • Revision ID: nicholas.skaggs@canonical.com-20161024205605-z8lta0uvuhtxwzwl
Initi with beta15

Show diffs side-by-side

added added

removed removed

Lines of Context:
src/github.com/juju/utils/tls.go
 
1
// Copyright 2016 Canonical Ltd.
 
2
// Licensed under the LGPLv3, see LICENCE file for details.
 
3
 
 
4
package utils
 
5
 
 
6
import (
 
7
        "crypto/tls"
 
8
        "net/http"
 
9
        "time"
 
10
)
 
11
 
 
12
// NewHttpTLSTransport returns a new http.Transport constructed with the TLS config
 
13
// and the necessary parameters for Juju.
 
14
func NewHttpTLSTransport(tlsConfig *tls.Config) *http.Transport {
 
15
        // See https://code.google.com/p/go/issues/detail?id=4677
 
16
        // We need to force the connection to close each time so that we don't
 
17
        // hit the above Go bug.
 
18
        transport := &http.Transport{
 
19
                Proxy:               http.ProxyFromEnvironment,
 
20
                TLSClientConfig:     tlsConfig,
 
21
                DisableKeepAlives:   true,
 
22
                Dial:                dial,
 
23
                TLSHandshakeTimeout: 10 * time.Second,
 
24
        }
 
25
        registerFileProtocol(transport)
 
26
        return transport
 
27
}
 
28
 
 
29
// knownGoodCipherSuites contains the list of secure cipher suites to use
 
30
// with tls.Config. This list matches those that Go 1.6 implements from
 
31
// https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations.
 
32
//
 
33
// https://tools.ietf.org/html/rfc7525#section-4.2 excludes RSA exchange completely
 
34
// so we could be more strict if all our clients will support
 
35
// TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256/384. Unfortunately Go's crypto library
 
36
// is limited and doesn't support DHE-RSA-AES256-GCM-SHA384 and
 
37
// DHE-RSA-AES256-SHA256, which are part of the recommended set.
 
38
//
 
39
// Unfortunately we can't drop the RSA algorithms because our servers aren't
 
40
// generating ECDHE keys.
 
41
var knownGoodCipherSuites = []uint16{
 
42
        // These are technically useless for Juju, since we use an RSA certificate,
 
43
        // but they also don't hurt anything, and supporting an ECDSA certificate
 
44
        // could be useful in the future.
 
45
        tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
 
46
        tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
 
47
 
 
48
        tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
 
49
        tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
 
50
 
 
51
        // Windows doesn't support GCM currently, so we need these for RSA support.
 
52
        tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
 
53
        tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
 
54
}
 
55
 
 
56
// SecureTLSConfig returns a tls.Config that conforms to Juju's security
 
57
// standards, so as to avoid known security vulnerabilities in certain
 
58
// configurations.
 
59
//
 
60
// Currently it excludes RC4 implementations from the available ciphersuites,
 
61
// requires ciphersuites that provide forward secrecy, and sets the minimum TLS
 
62
// version to 1.2.
 
63
func SecureTLSConfig() *tls.Config {
 
64
        return &tls.Config{
 
65
                CipherSuites: knownGoodCipherSuites,
 
66
                MinVersion:   tls.VersionTLS12,
 
67
        }
 
68
}