Add --min_tls_version flag (does not apply to proxy backends)

Allowed values are 1.0 (default), 1.1, 1.2 or 1.3. At the time of writing, current go versions default to TLS 1.0 as the minimum version when acting as a server (and 1.2 when acting as a client). This change allows admins to raise the minium supported TLS version. Fixes #708.
buchgr · Dec 3, 2023 · ad2ded8 · ad2ded8
1 parent 0fd6a44
commit ad2ded8
Show file tree

Hide file tree

Showing 5 changed files with 37 additions and 0 deletions.
diff --git a/config/config.go b/config/config.go
@@ -89,6 +89,7 @@ type Config struct {
 	StorageMode                 string                    `yaml:"storage_mode"`
 	ZstdImplementation          string                    `yaml:"zstd_implementation"`
 	HtpasswdFile                string                    `yaml:"htpasswd_file"`
+	MinTLSVersion               string                    `yaml:"min_tls_version"`
 	TLSCaFile                   string                    `yaml:"tls_ca_file"`
 	TLSCertFile                 string                    `yaml:"tls_cert_file"`
 	TLSKeyFile                  string                    `yaml:"tls_key_file"`
@@ -147,6 +148,7 @@ func newFromArgs(dir string, maxSize int, storageMode string, zstdImplementation
 	htpasswdFile string,
 	maxQueuedUploads int,
 	numUploaders int,
+	minTLSVersion string,
 	tlsCaFile string,
 	tlsCertFile string,
 	tlsKeyFile string,
@@ -180,6 +182,7 @@ func newFromArgs(dir string, maxSize int, storageMode string, zstdImplementation
 		HtpasswdFile:                htpasswdFile,
 		MaxQueuedUploads:            maxQueuedUploads,
 		NumUploaders:                numUploaders,
+		MinTLSVersion:               minTLSVersion,
 		TLSCaFile:                   tlsCaFile,
 		TLSCertFile:                 tlsCertFile,
 		TLSKeyFile:                  tlsKeyFile,
@@ -235,6 +238,7 @@ func newFromYaml(data []byte) (*Config, error) {
 			StorageMode:            "zstd",
 			ZstdImplementation:     "go",
 			NumUploaders:           100,
+			MinTLSVersion:          "1.0",
 			MaxQueuedUploads:       1000000,
 			MaxBlobSize:            math.MaxInt64,
 			MaxProxyBlobSize:       math.MaxInt64,
@@ -589,6 +593,7 @@ func get(ctx *cli.Context) (*Config, error) {
 		ctx.String("htpasswd_file"),
 		ctx.Int("max_queued_uploads"),
 		ctx.Int("num_uploaders"),
+		ctx.String("min_tls_version"),
 		ctx.String("tls_ca_file"),
 		ctx.String("tls_cert_file"),
 		ctx.String("tls_key_file"),

diff --git a/config/config_test.go b/config/config_test.go
@@ -44,6 +44,7 @@ log_timezone: local
 		StorageMode:                 "zstd",
 		ZstdImplementation:          "go",
 		HtpasswdFile:                "/opt/.htpasswd",
+		MinTLSVersion:               "1.0",
 		TLSCertFile:                 "/opt/tls.cert",
 		TLSKeyFile:                  "/opt/tls.key",
 		DisableHTTPACValidation:     true,
@@ -95,6 +96,7 @@ gcs_proxy:
 			JSONCredentialsFile:   "/opt/creds.json",
 		},
 		NumUploaders:           100,
+		MinTLSVersion:          "1.0",
 		MaxQueuedUploads:       1000000,
 		MaxBlobSize:            math.MaxInt64,
 		MaxProxyBlobSize:       math.MaxInt64,
@@ -138,6 +140,7 @@ http_proxy:
 			BaseURL: url,
 		},
 		NumUploaders:           100,
+		MinTLSVersion:          "1.0",
 		MaxQueuedUploads:       1000000,
 		MaxBlobSize:            math.MaxInt64,
 		MaxProxyBlobSize:       math.MaxInt64,
@@ -214,6 +217,7 @@ s3_proxy:
 			SecretAccessKey: "EXAMPLE_SECRET_KEY",
 		},
 		NumUploaders:           100,
+		MinTLSVersion:          "1.0",
 		MaxQueuedUploads:       1000000,
 		MaxBlobSize:            math.MaxInt64,
 		MaxProxyBlobSize:       math.MaxInt64,
@@ -247,6 +251,7 @@ profile_address: :7070
 		ZstdImplementation:     "go",
 		ProfileAddress:         ":7070",
 		NumUploaders:           100,
+		MinTLSVersion:          "1.0",
 		MaxQueuedUploads:       1000000,
 		MaxBlobSize:            math.MaxInt64,
 		MaxProxyBlobSize:       math.MaxInt64,
@@ -293,6 +298,7 @@ endpoint_metrics_duration_buckets: [.005, .1, 5]
 		MaxSize:                42,
 		StorageMode:            "zstd",
 		ZstdImplementation:     "go",
+		MinTLSVersion:          "1.0",
 		NumUploaders:           100,
 		MaxQueuedUploads:       1000000,
 		MaxBlobSize:            math.MaxInt64,
@@ -425,6 +431,7 @@ storage_mode: zstd
 		StorageMode:            "zstd",
 		ZstdImplementation:     "go",
 		NumUploaders:           100,
+		MinTLSVersion:          "1.0",
 		MaxQueuedUploads:       1000000,
 		MaxBlobSize:            math.MaxInt64,
 		MaxProxyBlobSize:       math.MaxInt64,
@@ -458,6 +465,7 @@ storage_mode: zstd
 		StorageMode:            "zstd",
 		ZstdImplementation:     "go",
 		NumUploaders:           100,
+		MinTLSVersion:          "1.0",
 		MaxQueuedUploads:       1000000,
 		MaxBlobSize:            math.MaxInt64,
 		MaxProxyBlobSize:       math.MaxInt64,

diff --git a/config/tls.go b/config/tls.go
@@ -3,11 +3,25 @@ package config
 import (
 	"crypto/tls"
 	"crypto/x509"
+	"errors"
 	"fmt"
 	"os"
 )
 
 func (c *Config) setTLSConfig() error {
+
+	supportedTLSServerVersions := map[string]uint16{
+		"1.0": tls.VersionTLS10,
+		"1.1": tls.VersionTLS11,
+		"1.2": tls.VersionTLS12,
+		"1.3": tls.VersionTLS13,
+	}
+
+	minTLSVersion, ok := supportedTLSServerVersions[c.MinTLSVersion]
+	if !ok {
+		return errors.New("Unsupported min_tls_version: \"" + c.MinTLSVersion + "\", must be one of 1.0, 1.1, 1.2, 1.3.")
+	}
+
 	if len(c.TLSCaFile) != 0 {
 		caCertPool := x509.NewCertPool()
 		caCert, err := os.ReadFile(c.TLSCaFile)
@@ -37,6 +51,8 @@ func (c *Config) setTLSConfig() error {
 			// we require auth for.
 			// See server.checkGRPCClientCert and httpCache.hasValidClientCert.
 			ClientAuth: tls.VerifyClientCertIfGiven,
+
+			MinVersion: minTLSVersion,
 		}
 
 		return nil
@@ -53,6 +69,7 @@ func (c *Config) setTLSConfig() error {
 
 		c.TLSConfig = &tls.Config{
 			Certificates: []tls.Certificate{readCert},
+			MinVersion:   minTLSVersion,
 		}
 
 		return nil

diff --git a/main.go b/main.go
@@ -329,6 +329,7 @@ func startHttpServer(c *config.Config, httpServer **http.Server,
 		}
 
 		log.Printf("Starting HTTPS server on address %s", c.HTTPAddress)
+		log.Println("Minimum supported TLS version:", c.MinTLSVersion)
 		err = (*httpServer).ServeTLS(ln, c.TLSCertFile, c.TLSKeyFile)
 		if err == http.ErrServerClosed {
 			log.Println("HTTPS server stopped")

diff --git a/utils/flags/flags.go b/utils/flags/flags.go
@@ -124,6 +124,12 @@ func GetCliFlags() []cli.Flag {
 			Usage:   "Path to a .htpasswd file. This flag is optional. Please read https://httpd.apache.org/docs/2.4/programs/htpasswd.html.",
 			EnvVars: []string{"BAZEL_REMOTE_HTPASSWD_FILE"},
 		},
+		&cli.StringFlag{
+			Name:    "min_tls_version",
+			Value:   "1.0",
+			Usage:   "The minimum TLS version that is acceptable for incoming requests (does not apply to proxy backends). Allowed values: 1.0, 1.1, 1.2, 1.3.",
+			EnvVars: []string{"BAZEL_REMOTE_MIN_TLS_VERSION"},
+		},
 		&cli.StringFlag{
 			Name:    "tls_ca_file",
 			Value:   "",