Add: support specifying cipher suites in tls connection #3019

jaegertracing · May 22, 2021 · ae6cbd1 · ae6cbd1
1 parent f0d0518
commit ae6cbd1
Showing 1 changed file with 13 additions and 0 deletions.
diff --git a/pkg/config/tlscfg/options.go b/pkg/config/tlscfg/options.go
@@ -18,6 +18,7 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
+	"github.com/coreos/etcd/pkg/tlsutil"
 	"io"
 	"io/ioutil"
 	"path/filepath"
@@ -34,6 +35,7 @@ type Options struct {
 	ServerName     string       `mapstructure:"server_name"` // only for client-side TLS config
 	ClientCAPath   string       `mapstructure:"client_ca"`   // only for server-side TLS config for client auth
 	SkipHostVerify bool         `mapstructure:"skip_host_verify"`
+	Ciphers        string       `mapstructure:"ciphers"`
 	certWatcher    *certWatcher `mapstructure:"-"`
 }
 
@@ -52,6 +54,17 @@ func (p *Options) Config(logger *zap.Logger) (*tls.Config, error) {
 		ServerName:         p.ServerName,
 		InsecureSkipVerify: p.SkipHostVerify,
 	}
+	if len(p.Ciphers) > 0 {
+		cs := make([]uint16, len(p.Ciphers))
+		for i, s := range p.Ciphers {
+			var ok bool
+			cs[i], ok = tlsutil.GetCipherSuite(p.Ciphers)
+			if !ok {
+				return nil, fmt.Errorf("unexpected TLS cipher suite %q", s)
+			}
+		}
+		tlsCfg.CipherSuites = cs
+	}
 	if p.ClientCAPath != "" {
 		certPool := x509.NewCertPool()
 		if err := addCertToPool(p.ClientCAPath, certPool); err != nil {