cmd/contour: force TLS 1.2 for the Contour xDS session (projectcontou…

…r#2947) Set the minimum TLS version to TLSv1.2 for gRPC XDS interface, removing support for TLSv1.0 and TLSv1.1, which are now deprecated. Signed-off-by: Tero Saarni <tero.saarni@est.tech>
stevesloka · Sep 28, 2020 · 54c0fa5 · 54c0fa5
1 parent 2cf8324
commit 54c0fa5
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 0 deletions.
diff --git a/cmd/contour/servecontext.go b/cmd/contour/servecontext.go
@@ -385,6 +385,7 @@ func (ctx *serveContext) tlsconfig(log logrus.FieldLogger) *tls.Config {
 			ClientAuth:   tls.RequireAndVerifyClientCert,
 			ClientCAs:    certPool,
 			Rand:         rand.Reader,
+			MinVersion:   tls.VersionTLS12,
 		}, nil
 	}
 

diff --git a/cmd/contour/servecontext_test.go b/cmd/contour/servecontext_test.go
@@ -381,6 +381,35 @@ func TestServeContextCertificateHandling(t *testing.T) {
 	}
 }
 
+func TestTlsVersionDeprecation(t *testing.T) {
+	// To get tls.Config for the gRPC XDS server, we need to arrange valid TLS certificates and keys.
+	// Create temporary directory to store them for the server.
+	configDir, err := ioutil.TempDir("", "contour-testdata-")
+	checkFatalErr(t, err)
+	defer os.RemoveAll(configDir)
+
+	ctx := serveContext{
+		ServerConfig: ServerConfig{
+			caFile:      filepath.Join(configDir, "CAcert.pem"),
+			contourCert: filepath.Join(configDir, "contourcert.pem"),
+			contourKey:  filepath.Join(configDir, "contourkey.pem"),
+		},
+	}
+
+	err = linkFiles("testdata/1", configDir)
+	checkFatalErr(t, err)
+
+	// Get preliminary TLS config from the serveContext.
+	log := fixture.NewTestLogger(t)
+	preliminaryTLSConfig := ctx.tlsconfig(log)
+
+	// Get actual TLS config that will be used during TLS handshake.
+	tlsConfig, err := preliminaryTLSConfig.GetConfigForClient(nil)
+	checkFatalErr(t, err)
+
+	assert.Equal(t, tlsConfig.MinVersion, uint16(tls.VersionTLS12))
+}
+
 func checkFatalErr(t *testing.T, err error) {
 	t.Helper()
 	if err != nil {