From 5da4f931c5088f34300a13551351e6ac29618939 Mon Sep 17 00:00:00 2001 From: Nicola Murino Date: Thu, 18 Feb 2021 20:17:16 +0100 Subject: [PATCH] TLS: allow to configure cipher suites Fixes #316 --- config/config.go | 53 +++++++++++++++++++++++++++++++------- config/config_test.go | 28 ++++++++++++++++++++ docs/full-configuration.md | 4 +++ ftpd/ftpd.go | 11 ++++++++ ftpd/server.go | 1 + httpd/httpd.go | 11 ++++++++ httpd/server.go | 8 ++++-- sftpgo.json | 12 ++++++--- telemetry/telemetry.go | 18 +++++++++++-- utils/utils.go | 16 ++++++++++++ webdavd/server.go | 8 ++++-- webdavd/webdavd.go | 11 ++++++++ 12 files changed, 162 insertions(+), 19 deletions(-) diff --git a/config/config.go b/config/config.go index 72ad64c6..cd07acd9 100644 --- a/config/config.go +++ b/config/config.go @@ -51,19 +51,22 @@ var ( TLSMode: 0, ForcePassiveIP: "", ClientAuthType: 0, + TLSCipherSuites: nil, } defaultWebDAVDBinding = webdavd.Binding{ - Address: "", - Port: 0, - EnableHTTPS: false, - ClientAuthType: 0, + Address: "", + Port: 0, + EnableHTTPS: false, + ClientAuthType: 0, + TLSCipherSuites: nil, } defaultHTTPDBinding = httpd.Binding{ - Address: "127.0.0.1", - Port: 8080, - EnableWebAdmin: true, - EnableHTTPS: false, - ClientAuthType: 0, + Address: "127.0.0.1", + Port: 8080, + EnableWebAdmin: true, + EnableHTTPS: false, + ClientAuthType: 0, + TLSCipherSuites: nil, } ) @@ -238,6 +241,7 @@ func Init() { AuthUserFile: "", CertificateFile: "", CertificateKeyFile: "", + TLSCipherSuites: nil, }, } @@ -661,6 +665,12 @@ func getFTPDBindingFromEnv(idx int) { isSet = true } + tlsCiphers, ok := lookupStringListFromEnv(fmt.Sprintf("SFTPGO_FTPD__BINDINGS__%v__TLS_CIPHER_SUITES", idx)) + if ok { + binding.TLSCipherSuites = tlsCiphers + isSet = true + } + if isSet { if len(globalConf.FTPD.Bindings) > idx { globalConf.FTPD.Bindings[idx] = binding @@ -702,6 +712,12 @@ func getWebDAVDBindingFromEnv(idx int) { isSet = true } + tlsCiphers, ok := lookupStringListFromEnv(fmt.Sprintf("SFTPGO_WEBDAVD__BINDINGS__%v__TLS_CIPHER_SUITES", idx)) + if ok { + binding.TLSCipherSuites = tlsCiphers + isSet = true + } + if isSet { if len(globalConf.WebDAVD.Bindings) > idx { globalConf.WebDAVD.Bindings[idx] = binding @@ -749,6 +765,12 @@ func getHTTPDBindingFromEnv(idx int) { isSet = true } + tlsCiphers, ok := lookupStringListFromEnv(fmt.Sprintf("SFTPGO_HTTPD__BINDINGS__%v__TLS_CIPHER_SUITES", idx)) + if ok { + binding.TLSCipherSuites = tlsCiphers + isSet = true + } + if isSet { if len(globalConf.HTTPDConfig.Bindings) > idx { globalConf.HTTPDConfig.Bindings[idx] = binding @@ -888,6 +910,7 @@ func setViperDefaults() { viper.SetDefault("telemetry.auth_user_file", globalConf.TelemetryConfig.AuthUserFile) viper.SetDefault("telemetry.certificate_file", globalConf.TelemetryConfig.CertificateFile) viper.SetDefault("telemetry.certificate_key_file", globalConf.TelemetryConfig.CertificateKeyFile) + viper.SetDefault("telemetry.tls_cipher_suites", globalConf.TelemetryConfig.TLSCipherSuites) } func lookupBoolFromEnv(envName string) (bool, bool) { @@ -913,3 +936,15 @@ func lookupIntFromEnv(envName string) (int, bool) { return 0, false } + +func lookupStringListFromEnv(envName string) ([]string, bool) { + value, ok := os.LookupEnv(envName) + if ok { + var result []string + for _, v := range strings.Split(value, ",") { + result = append(result, strings.TrimSpace(v)) + } + return result, true + } + return nil, false +} diff --git a/config/config_test.go b/config/config_test.go index 9dab7df2..5774538b 100644 --- a/config/config_test.go +++ b/config/config_test.go @@ -538,6 +538,7 @@ func TestFTPDBindingsFromEnv(t *testing.T) { os.Setenv("SFTPGO_FTPD__BINDINGS__0__APPLY_PROXY_CONFIG", "f") os.Setenv("SFTPGO_FTPD__BINDINGS__0__TLS_MODE", "2") os.Setenv("SFTPGO_FTPD__BINDINGS__0__FORCE_PASSIVE_IP", "127.0.1.2") + os.Setenv("SFTPGO_FTPD__BINDINGS__0__TLS_CIPHER_SUITES", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256") os.Setenv("SFTPGO_FTPD__BINDINGS__9__ADDRESS", "127.0.1.1") os.Setenv("SFTPGO_FTPD__BINDINGS__9__PORT", "2203") os.Setenv("SFTPGO_FTPD__BINDINGS__9__APPLY_PROXY_CONFIG", "t") @@ -551,6 +552,7 @@ func TestFTPDBindingsFromEnv(t *testing.T) { os.Unsetenv("SFTPGO_FTPD__BINDINGS__0__APPLY_PROXY_CONFIG") os.Unsetenv("SFTPGO_FTPD__BINDINGS__0__TLS_MODE") os.Unsetenv("SFTPGO_FTPD__BINDINGS__0__FORCE_PASSIVE_IP") + os.Unsetenv("SFTPGO_FTPD__BINDINGS__0__TLS_CIPHER_SUITES") os.Unsetenv("SFTPGO_FTPD__BINDINGS__9__ADDRESS") os.Unsetenv("SFTPGO_FTPD__BINDINGS__9__PORT") os.Unsetenv("SFTPGO_FTPD__BINDINGS__9__APPLY_PROXY_CONFIG") @@ -570,12 +572,16 @@ func TestFTPDBindingsFromEnv(t *testing.T) { require.Equal(t, 2, bindings[0].TLSMode) require.Equal(t, "127.0.1.2", bindings[0].ForcePassiveIP) require.Equal(t, 0, bindings[0].ClientAuthType) + require.Len(t, bindings[0].TLSCipherSuites, 2) + require.Equal(t, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", bindings[0].TLSCipherSuites[0]) + require.Equal(t, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", bindings[0].TLSCipherSuites[1]) require.Equal(t, 2203, bindings[1].Port) require.Equal(t, "127.0.1.1", bindings[1].Address) require.True(t, bindings[1].ApplyProxyConfig) require.Equal(t, 1, bindings[1].TLSMode) require.Equal(t, "127.0.1.1", bindings[1].ForcePassiveIP) require.Equal(t, 1, bindings[1].ClientAuthType) + require.Nil(t, bindings[1].TLSCipherSuites) } func TestWebDAVBindingsFromEnv(t *testing.T) { @@ -584,6 +590,7 @@ func TestWebDAVBindingsFromEnv(t *testing.T) { os.Setenv("SFTPGO_WEBDAVD__BINDINGS__1__ADDRESS", "127.0.0.1") os.Setenv("SFTPGO_WEBDAVD__BINDINGS__1__PORT", "8000") os.Setenv("SFTPGO_WEBDAVD__BINDINGS__1__ENABLE_HTTPS", "0") + os.Setenv("SFTPGO_WEBDAVD__BINDINGS__1__TLS_CIPHER_SUITES", "TLS_RSA_WITH_AES_128_CBC_SHA ") os.Setenv("SFTPGO_WEBDAVD__BINDINGS__2__ADDRESS", "127.0.1.1") os.Setenv("SFTPGO_WEBDAVD__BINDINGS__2__PORT", "9000") os.Setenv("SFTPGO_WEBDAVD__BINDINGS__2__ENABLE_HTTPS", "1") @@ -592,6 +599,7 @@ func TestWebDAVBindingsFromEnv(t *testing.T) { os.Unsetenv("SFTPGO_WEBDAVD__BINDINGS__1__ADDRESS") os.Unsetenv("SFTPGO_WEBDAVD__BINDINGS__1__PORT") os.Unsetenv("SFTPGO_WEBDAVD__BINDINGS__1__ENABLE_HTTPS") + os.Unsetenv("SFTPGO_WEBDAVD__BINDINGS__1__TLS_CIPHER_SUITES") os.Unsetenv("SFTPGO_WEBDAVD__BINDINGS__2__ADDRESS") os.Unsetenv("SFTPGO_WEBDAVD__BINDINGS__2__PORT") os.Unsetenv("SFTPGO_WEBDAVD__BINDINGS__2__ENABLE_HTTPS") @@ -606,14 +614,18 @@ func TestWebDAVBindingsFromEnv(t *testing.T) { require.Equal(t, 0, bindings[0].Port) require.Empty(t, bindings[0].Address) require.False(t, bindings[0].EnableHTTPS) + require.Len(t, bindings[0].TLSCipherSuites, 0) require.Equal(t, 8000, bindings[1].Port) require.Equal(t, "127.0.0.1", bindings[1].Address) require.False(t, bindings[1].EnableHTTPS) require.Equal(t, 0, bindings[1].ClientAuthType) + require.Len(t, bindings[1].TLSCipherSuites, 1) + require.Equal(t, "TLS_RSA_WITH_AES_128_CBC_SHA", bindings[1].TLSCipherSuites[0]) require.Equal(t, 9000, bindings[2].Port) require.Equal(t, "127.0.1.1", bindings[2].Address) require.True(t, bindings[2].EnableHTTPS) require.Equal(t, 1, bindings[2].ClientAuthType) + require.Nil(t, bindings[2].TLSCipherSuites) } func TestHTTPDBindingsFromEnv(t *testing.T) { @@ -623,6 +635,7 @@ func TestHTTPDBindingsFromEnv(t *testing.T) { os.Setenv("SFTPGO_HTTPD__BINDINGS__0__ADDRESS", sockPath) os.Setenv("SFTPGO_HTTPD__BINDINGS__0__PORT", "0") + os.Setenv("SFTPGO_HTTPD__BINDINGS__0__TLS_CIPHER_SUITES", " TLS_AES_128_GCM_SHA256") os.Setenv("SFTPGO_HTTPD__BINDINGS__1__ADDRESS", "127.0.0.1") os.Setenv("SFTPGO_HTTPD__BINDINGS__1__PORT", "8000") os.Setenv("SFTPGO_HTTPD__BINDINGS__1__ENABLE_HTTPS", "0") @@ -632,9 +645,11 @@ func TestHTTPDBindingsFromEnv(t *testing.T) { os.Setenv("SFTPGO_HTTPD__BINDINGS__2__ENABLE_WEB_ADMIN", "0") os.Setenv("SFTPGO_HTTPD__BINDINGS__2__ENABLE_HTTPS", "1") os.Setenv("SFTPGO_HTTPD__BINDINGS__2__CLIENT_AUTH_TYPE", "1") + os.Setenv("SFTPGO_HTTPD__BINDINGS__2__TLS_CIPHER_SUITES", " TLS_AES_256_GCM_SHA384 , TLS_CHACHA20_POLY1305_SHA256") t.Cleanup(func() { os.Unsetenv("SFTPGO_HTTPD__BINDINGS__0__ADDRESS") os.Unsetenv("SFTPGO_HTTPD__BINDINGS__0__PORT") + os.Unsetenv("SFTPGO_HTTPD__BINDINGS__0__TLS_CIPHER_SUITES") os.Unsetenv("SFTPGO_HTTPD__BINDINGS__1__ADDRESS") os.Unsetenv("SFTPGO_HTTPD__BINDINGS__1__PORT") os.Unsetenv("SFTPGO_HTTPD__BINDINGS__1__ENABLE_HTTPS") @@ -644,6 +659,7 @@ func TestHTTPDBindingsFromEnv(t *testing.T) { os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__ENABLE_HTTPS") os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__ENABLE_WEB_ADMIN") os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__CLIENT_AUTH_TYPE") + os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__TLS_CIPHER_SUITES") }) configDir := ".." @@ -655,16 +671,22 @@ func TestHTTPDBindingsFromEnv(t *testing.T) { require.Equal(t, sockPath, bindings[0].Address) require.False(t, bindings[0].EnableHTTPS) require.True(t, bindings[0].EnableWebAdmin) + require.Len(t, bindings[0].TLSCipherSuites, 1) + require.Equal(t, "TLS_AES_128_GCM_SHA256", bindings[0].TLSCipherSuites[0]) require.Equal(t, 8000, bindings[1].Port) require.Equal(t, "127.0.0.1", bindings[1].Address) require.False(t, bindings[1].EnableHTTPS) require.True(t, bindings[1].EnableWebAdmin) + require.Nil(t, bindings[1].TLSCipherSuites) require.Equal(t, 9000, bindings[2].Port) require.Equal(t, "127.0.1.1", bindings[2].Address) require.True(t, bindings[2].EnableHTTPS) require.False(t, bindings[2].EnableWebAdmin) require.Equal(t, 1, bindings[2].ClientAuthType) + require.Len(t, bindings[2].TLSCipherSuites, 2) + require.Equal(t, "TLS_AES_256_GCM_SHA384", bindings[2].TLSCipherSuites[0]) + require.Equal(t, "TLS_CHACHA20_POLY1305_SHA256", bindings[2].TLSCipherSuites[1]) } func TestHTTPClientCertificatesFromEnv(t *testing.T) { @@ -738,6 +760,7 @@ func TestConfigFromEnv(t *testing.T) { os.Setenv("SFTPGO_DATA_PROVIDER__ACTIONS__EXECUTE_ON", "add") os.Setenv("SFTPGO_KMS__SECRETS__URL", "local") os.Setenv("SFTPGO_KMS__SECRETS__MASTER_KEY_PATH", "path") + os.Setenv("SFTPGO_TELEMETRY__TLS_CIPHER_SUITES", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA") t.Cleanup(func() { os.Unsetenv("SFTPGO_SFTPD__BINDINGS__0__ADDRESS") os.Unsetenv("SFTPGO_WEBDAVD__BINDINGS__0__PORT") @@ -746,6 +769,7 @@ func TestConfigFromEnv(t *testing.T) { os.Unsetenv("SFTPGO_DATA_PROVIDER__ACTIONS__EXECUTE_ON") os.Unsetenv("SFTPGO_KMS__SECRETS__URL") os.Unsetenv("SFTPGO_KMS__SECRETS__MASTER_KEY_PATH") + os.Unsetenv("SFTPGO_TELEMETRY__TLS_CIPHER_SUITES") }) err := config.LoadConfig(".", "invalid config") assert.NoError(t, err) @@ -760,4 +784,8 @@ func TestConfigFromEnv(t *testing.T) { kmsConfig := config.GetKMSConfig() assert.Equal(t, "local", kmsConfig.Secrets.URL) assert.Equal(t, "path", kmsConfig.Secrets.MasterKeyPath) + telemetryConfig := config.GetTelemetryConfig() + assert.Len(t, telemetryConfig.TLSCipherSuites, 2) + assert.Equal(t, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", telemetryConfig.TLSCipherSuites[0]) + assert.Equal(t, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", telemetryConfig.TLSCipherSuites[1]) } diff --git a/docs/full-configuration.md b/docs/full-configuration.md index 3e290b30..7c2a6e34 100644 --- a/docs/full-configuration.md +++ b/docs/full-configuration.md @@ -110,6 +110,7 @@ The configuration file contains the following sections: - `tls_mode`, integer. 0 means accept both cleartext and encrypted sessions. 1 means TLS is required for both control and data connection. 2 means implicit TLS. Do not enable this blindly, please check that a proper TLS config is in place if you set `tls_mode` is different from 0. - `force_passive_ip`, ip address. External IP address to expose for passive connections. Leavy empty to autodetect. Defaut: "". - `client_auth_type`, integer. Set to `1` to require client certificate authentication in addition to FTP authentication. You need to define at least a certificate authority for this to work. Default: 0. + - `tls_cipher_suites`, list of strings. List of supported cipher suites for TLS version 1.2. If empty, a default list of secure cipher suites is used, with a preference order based on hardware performance. Note that TLS 1.3 ciphersuites are not configurable. The supported ciphersuites names are defined [here](https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L52). Any invalid name will be silently ignored. The order matters, the ciphers listed first will be the preferred ones. Default: empty. - `bind_port`, integer. Deprecated, please use `bindings` - `bind_address`, string. Deprecated, please use `bindings` - `banner`, string. Greeting banner displayed when a connection first comes in. Leave empty to use the default banner. Default `SFTPGo ready`, for example `SFTPGo 1.0.0-dev ready`. @@ -132,6 +133,7 @@ The configuration file contains the following sections: - `address`, string. Leave blank to listen on all available network interfaces. Default: "". - `enable_https`, boolean. Set to `true` and provide both a certificate and a key file to enable HTTPS connection for this binding. Default `false`. - `client_auth_type`, integer. Set to `1` to require client certificate authentication in addition to basic authentication. You need to define at least a certificate authority for this to work. Default: 0. + - `tls_cipher_suites`, list of strings. List of supported cipher suites for TLS version 1.2. If empty, a default list of secure cipher suites is used, with a preference order based on hardware performance. Note that TLS 1.3 ciphersuites are not configurable. The supported ciphersuites names are defined [here](https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L52). Any invalid name will be silently ignored. The order matters, the ciphers listed first will be the preferred ones. Default: empty. - `bind_port`, integer. Deprecated, please use `bindings`. - `bind_address`, string. Deprecated, please use `bindings`. - `certificate_file`, string. Certificate for WebDAV over HTTPS. This can be an absolute path or a path relative to the config dir. @@ -193,6 +195,7 @@ The configuration file contains the following sections: - `enable_web_admin`, boolean. Set to `false` to disable the built-in web admin for this binding. You also need to define `templates_path` and `static_files_path` to enable the built-in web admin interface. Default `true`. - `enable_https`, boolean. Set to `true` and provide both a certificate and a key file to enable HTTPS connection for this binding. Default `false`. - `client_auth_type`, integer. Set to `1` to require client certificate authentication in addition to JWT/Web authentication. You need to define at least a certificate authority for this to work. Default: 0. + - `tls_cipher_suites`, list of strings. List of supported cipher suites for TLS version 1.2. If empty, a default list of secure cipher suites is used, with a preference order based on hardware performance. Note that TLS 1.3 ciphersuites are not configurable. The supported ciphersuites names are defined [here](https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L52). Any invalid name will be silently ignored. The order matters, the ciphers listed first will be the preferred ones. Default: empty. - `bind_port`, integer. Deprecated, please use `bindings`. - `bind_address`, string. Deprecated, please use `bindings`. Leave blank to listen on all available network interfaces. On \*NIX you can specify an absolute path to listen on a Unix-domain socket. Default: "127.0.0.1" - `templates_path`, string. Path to the HTML web templates. This can be an absolute path or a path relative to the config dir @@ -209,6 +212,7 @@ The configuration file contains the following sections: - `auth_user_file`, string. Path to a file used to store usernames and passwords for basic authentication. This can be an absolute path or a path relative to the config dir. We support HTTP basic authentication, and the file format must conform to the one generated using the Apache `htpasswd` tool. The supported password formats are bcrypt (`$2y$` prefix) and md5 crypt (`$apr1$` prefix). If empty, HTTP authentication is disabled. Authentication will be always disabled for the `/healthz` endpoint. - `certificate_file`, string. Certificate for HTTPS. This can be an absolute path or a path relative to the config dir. - `certificate_key_file`, string. Private key matching the above certificate. This can be an absolute path or a path relative to the config dir. If both the certificate and the private key are provided, the server will expect HTTPS connections. Certificate and key files can be reloaded on demand sending a `SIGHUP` signal on Unix based systems and a `paramchange` request to the running service on Windows. + - `tls_cipher_suites`, list of strings. List of supported cipher suites for TLS version 1.2. If empty, a default list of secure cipher suites is used, with a preference order based on hardware performance. Note that TLS 1.3 ciphersuites are not configurable. The supported ciphersuites names are defined [here](https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L52). Any invalid name will be silently ignored. The order matters, the ciphers listed first will be the preferred ones. Default: empty. - **"http"**, the configuration for HTTP clients. HTTP clients are used for executing hooks. Some hooks use a retryable HTTP client, for these hooks you can configure the time between retries and the number of retries. Please check the hook specific documentation to understand which hooks use a retryable HTTP client. - `timeout`, integer. Timeout specifies a time limit, in seconds, for requests. For requests with retries this is the timeout for a single request - `retry_wait_min`, integer. Defines the minimum waiting time between attempts in seconds. diff --git a/ftpd/ftpd.go b/ftpd/ftpd.go index bd3681c0..b6f04f97 100644 --- a/ftpd/ftpd.go +++ b/ftpd/ftpd.go @@ -37,6 +37,17 @@ type Binding struct { // set to 1 to require client certificate authentication in addition to FTP auth. // You need to define at least a certificate authority for this to work ClientAuthType int `json:"client_auth_type" mapstructure:"client_auth_type"` + // TLSCipherSuites is a list of supported cipher suites for TLS version 1.2. + // If CipherSuites is nil/empty, a default list of secure cipher suites + // is used, with a preference order based on hardware performance. + // Note that TLS 1.3 ciphersuites are not configurable. + // The supported ciphersuites names are defined here: + // + // https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L52 + // + // any invalid name will be silently ignored. + // The order matters, the ciphers listed first will be the preferred ones. + TLSCipherSuites []string `json:"tls_cipher_suites" mapstructure:"tls_cipher_suites"` } // GetAddress returns the binding address diff --git a/ftpd/server.go b/ftpd/server.go index b80ad19c..021bffb1 100644 --- a/ftpd/server.go +++ b/ftpd/server.go @@ -162,6 +162,7 @@ func (s *Server) GetTLSConfig() (*tls.Config, error) { tlsConfig := &tls.Config{ GetCertificate: certMgr.GetCertificateFunc(), MinVersion: tls.VersionTLS12, + CipherSuites: utils.GetTLSCiphersFromNames(s.binding.TLSCipherSuites), } if s.binding.ClientAuthType == 1 { tlsConfig.ClientCAs = certMgr.GetRootCAs() diff --git a/httpd/httpd.go b/httpd/httpd.go index ea69babe..125bdf9d 100644 --- a/httpd/httpd.go +++ b/httpd/httpd.go @@ -96,6 +96,17 @@ type Binding struct { // set to 1 to require client certificate authentication in addition to basic auth. // You need to define at least a certificate authority for this to work ClientAuthType int `json:"client_auth_type" mapstructure:"client_auth_type"` + // TLSCipherSuites is a list of supported cipher suites for TLS version 1.2. + // If CipherSuites is nil/empty, a default list of secure cipher suites + // is used, with a preference order based on hardware performance. + // Note that TLS 1.3 ciphersuites are not configurable. + // The supported ciphersuites names are defined here: + // + // https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L52 + // + // any invalid name will be silently ignored. + // The order matters, the ciphers listed first will be the preferred ones. + TLSCipherSuites []string `json:"tls_cipher_suites" mapstructure:"tls_cipher_suites"` } // GetAddress returns the binding address diff --git a/httpd/server.go b/httpd/server.go index 4ba69b6b..4fa2030b 100644 --- a/httpd/server.go +++ b/httpd/server.go @@ -51,9 +51,13 @@ func (s *httpdServer) listenAndServe() error { } if certMgr != nil && s.binding.EnableHTTPS { config := &tls.Config{ - GetCertificate: certMgr.GetCertificateFunc(), - MinVersion: tls.VersionTLS12, + GetCertificate: certMgr.GetCertificateFunc(), + MinVersion: tls.VersionTLS12, + CipherSuites: utils.GetTLSCiphersFromNames(s.binding.TLSCipherSuites), + PreferServerCipherSuites: true, } + logger.Debug(logSender, "", "configured TLS cipher suites for binding %#v: %v", s.binding.GetAddress(), + config.CipherSuites) httpServer.TLSConfig = config if s.binding.ClientAuthType == 1 { httpServer.TLSConfig.ClientCAs = certMgr.GetRootCAs() diff --git a/sftpgo.json b/sftpgo.json index 830d272d..44b52b2d 100644 --- a/sftpgo.json +++ b/sftpgo.json @@ -59,7 +59,8 @@ "apply_proxy_config": true, "tls_mode": 0, "force_passive_ip": "", - "client_auth_type": 0 + "client_auth_type": 0, + "tls_cipher_suites": [] } ], "banner": "", @@ -84,7 +85,8 @@ "port": 0, "address": "", "enable_https": false, - "client_auth_type": 0 + "client_auth_type": 0, + "tls_cipher_suites": [] } ], "certificate_file": "", @@ -153,7 +155,8 @@ "address": "127.0.0.1", "enable_web_admin": true, "enable_https": false, - "client_auth_type": 0 + "client_auth_type": 0, + "tls_cipher_suites": [] } ], "templates_path": "templates", @@ -170,7 +173,8 @@ "enable_profiler": false, "auth_user_file": "", "certificate_file": "", - "certificate_key_file": "" + "certificate_key_file": "", + "tls_cipher_suites": [] }, "http": { "timeout": 20, diff --git a/telemetry/telemetry.go b/telemetry/telemetry.go index ea2d13ba..fecb4792 100644 --- a/telemetry/telemetry.go +++ b/telemetry/telemetry.go @@ -52,6 +52,17 @@ type Conf struct { // "paramchange" request to the running service on Windows. CertificateFile string `json:"certificate_file" mapstructure:"certificate_file"` CertificateKeyFile string `json:"certificate_key_file" mapstructure:"certificate_key_file"` + // TLSCipherSuites is a list of supported cipher suites for TLS version 1.2. + // If CipherSuites is nil/empty, a default list of secure cipher suites + // is used, with a preference order based on hardware performance. + // Note that TLS 1.3 ciphersuites are not configurable. + // The supported ciphersuites names are defined here: + // + // https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L52 + // + // any invalid name will be silently ignored. + // The order matters, the ciphers listed first will be the preferred ones. + TLSCipherSuites []string `json:"tls_cipher_suites" mapstructure:"tls_cipher_suites"` } // ShouldBind returns true if there service must be started @@ -91,9 +102,12 @@ func (c Conf) Initialize(configDir string) error { return err } config := &tls.Config{ - GetCertificate: certMgr.GetCertificateFunc(), - MinVersion: tls.VersionTLS12, + GetCertificate: certMgr.GetCertificateFunc(), + MinVersion: tls.VersionTLS12, + CipherSuites: utils.GetTLSCiphersFromNames(c.TLSCipherSuites), + PreferServerCipherSuites: true, } + logger.Debug(logSender, "", "configured TLS cipher suites: %v", config.CipherSuites) httpServer.TLSConfig = config return utils.HTTPListenAndServe(httpServer, c.BindAddress, c.BindPort, true, logSender) } diff --git a/utils/utils.go b/utils/utils.go index 33882d26..89df4428 100644 --- a/utils/utils.go +++ b/utils/utils.go @@ -9,6 +9,7 @@ import ( "crypto/elliptic" "crypto/rand" "crypto/rsa" + "crypto/tls" "crypto/x509" "encoding/hex" "encoding/pem" @@ -436,3 +437,18 @@ func HTTPListenAndServe(srv *http.Server, address string, port int, isTLS bool, } return srv.Serve(listener) } + +// GetTLSCiphersFromNames returns the TLS ciphers from the specified names +func GetTLSCiphersFromNames(cipherNames []string) []uint16 { + var ciphers []uint16 + + for _, name := range RemoveDuplicates(cipherNames) { + for _, c := range tls.CipherSuites() { + if c.Name == strings.TrimSpace(name) { + ciphers = append(ciphers, c.ID) + } + } + } + + return ciphers +} diff --git a/webdavd/server.go b/webdavd/server.go index eb28ab3b..16c792f7 100644 --- a/webdavd/server.go +++ b/webdavd/server.go @@ -62,9 +62,13 @@ func (s *webDavServer) listenAndServe(compressor *middleware.Compressor) error { if certMgr != nil && s.binding.EnableHTTPS { serviceStatus.Bindings = append(serviceStatus.Bindings, s.binding) httpServer.TLSConfig = &tls.Config{ - GetCertificate: certMgr.GetCertificateFunc(), - MinVersion: tls.VersionTLS12, + GetCertificate: certMgr.GetCertificateFunc(), + MinVersion: tls.VersionTLS12, + CipherSuites: utils.GetTLSCiphersFromNames(s.binding.TLSCipherSuites), + PreferServerCipherSuites: true, } + logger.Debug(logSender, "", "configured TLS cipher suites for binding %#v: %v", s.binding.GetAddress(), + httpServer.TLSConfig.CipherSuites) if s.binding.ClientAuthType == 1 { httpServer.TLSConfig.ClientCAs = certMgr.GetRootCAs() httpServer.TLSConfig.ClientAuth = tls.RequireAndVerifyClientCert diff --git a/webdavd/webdavd.go b/webdavd/webdavd.go index 105ebec5..f69427ce 100644 --- a/webdavd/webdavd.go +++ b/webdavd/webdavd.go @@ -75,6 +75,17 @@ type Binding struct { // set to 1 to require client certificate authentication in addition to basic auth. // You need to define at least a certificate authority for this to work ClientAuthType int `json:"client_auth_type" mapstructure:"client_auth_type"` + // TLSCipherSuites is a list of supported cipher suites for TLS version 1.2. + // If CipherSuites is nil/empty, a default list of secure cipher suites + // is used, with a preference order based on hardware performance. + // Note that TLS 1.3 ciphersuites are not configurable. + // The supported ciphersuites names are defined here: + // + // https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L52 + // + // any invalid name will be silently ignored. + // The order matters, the ciphers listed first will be the preferred ones. + TLSCipherSuites []string `json:"tls_cipher_suites" mapstructure:"tls_cipher_suites"` } // GetAddress returns the binding address