1
// Copyright 2016 Canonical Ltd.
2
// Licensed under the LGPLv3, see LICENCE file for details.
12
// NewHttpTLSTransport returns a new http.Transport constructed with the TLS config
13
// and the necessary parameters for Juju.
14
func NewHttpTLSTransport(tlsConfig *tls.Config) *http.Transport {
15
// See https://code.google.com/p/go/issues/detail?id=4677
16
// We need to force the connection to close each time so that we don't
17
// hit the above Go bug.
18
transport := &http.Transport{
19
Proxy: http.ProxyFromEnvironment,
20
TLSClientConfig: tlsConfig,
21
DisableKeepAlives: true,
23
TLSHandshakeTimeout: 10 * time.Second,
25
registerFileProtocol(transport)
29
// knownGoodCipherSuites contains the list of secure cipher suites to use
30
// with tls.Config. This list matches those that Go 1.6 implements from
31
// https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations.
33
// https://tools.ietf.org/html/rfc7525#section-4.2 excludes RSA exchange completely
34
// so we could be more strict if all our clients will support
35
// TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256/384. Unfortunately Go's crypto library
36
// is limited and doesn't support DHE-RSA-AES256-GCM-SHA384 and
37
// DHE-RSA-AES256-SHA256, which are part of the recommended set.
39
// Unfortunately we can't drop the RSA algorithms because our servers aren't
40
// generating ECDHE keys.
41
var knownGoodCipherSuites = []uint16{
42
// These are technically useless for Juju, since we use an RSA certificate,
43
// but they also don't hurt anything, and supporting an ECDSA certificate
44
// could be useful in the future.
45
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
46
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
48
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
49
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
51
// Windows doesn't support GCM currently, so we need these for RSA support.
52
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
53
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
56
// SecureTLSConfig returns a tls.Config that conforms to Juju's security
57
// standards, so as to avoid known security vulnerabilities in certain
60
// Currently it excludes RC4 implementations from the available ciphersuites,
61
// requires ciphersuites that provide forward secrecy, and sets the minimum TLS
63
func SecureTLSConfig() *tls.Config {
65
CipherSuites: knownGoodCipherSuites,
66
MinVersion: tls.VersionTLS12,