expose MinTLSVersion config for TLS handshake (#3103)

ZetaoZhuang · web-flow · commit 59a5022f4c10 · 2024-11-12T16:33:39.000Z
* expose MinTLSVersion config

* address comment

* use valid TLS version in config test
diff --git a/cns/configuration/cns_config.json b/cns/configuration/cns_config.json
@@ -33,5 +33,6 @@
     "MellanoxMonitorIntervalSecs": 30,
     "AZRSettings": {
         "PopulateHomeAzCacheRetryIntervalSecs": 60
-    }
+    },
+    "MinTLSVersion": "TLS 1.2"
 }
diff --git a/cns/configuration/configuration.go b/cns/configuration/configuration.go
@@ -54,6 +54,7 @@ type CNSConfig struct {
 	WatchPods                   bool `json:"-"`
 	WireserverIP                string
 	GRPCSettings                GRPCSettings
+	MinTLSVersion               string
 }
 
 type TelemetrySettings struct {
@@ -229,6 +230,10 @@ func SetCNSConfigDefaults(config *CNSConfig) {
 	if config.GRPCSettings.Port == 0 {
 		config.GRPCSettings.Port = 8080
 	}
+
+	if config.MinTLSVersion == "" {
+		config.MinTLSVersion = "TLS 1.2"
+	}
 	config.GRPCSettings.Enable = false
 	config.WatchPods = config.EnableIPAMv2 || config.EnableSwiftV2
 }
diff --git a/cns/configuration/configuration_test.go b/cns/configuration/configuration_test.go
@@ -86,9 +86,10 @@ func TestReadConfigFromFile(t *testing.T) {
 				AZRSettings: AZRSettings{
 					PopulateHomeAzCacheRetryIntervalSecs: 60,
 				},
-				UseHTTPS:     true,
-				UseMTLS:      true,
-				WireserverIP: "168.63.129.16",
+				UseHTTPS:      true,
+				UseMTLS:       true,
+				WireserverIP:  "168.63.129.16",
+				MinTLSVersion: "TLS 1.3",
 			},
 			wantErr: false,
 		},
@@ -220,6 +221,7 @@ func TestSetCNSConfigDefaults(t *testing.T) {
 					IPAddress: "localhost",
 					Port:      8080,
 				},
+				MinTLSVersion: "TLS 1.2",
 			},
 		},
 		{
@@ -250,6 +252,7 @@ func TestSetCNSConfigDefaults(t *testing.T) {
 					IPAddress: "192.168.1.1",
 					Port:      9090,
 				},
+				MinTLSVersion: "TLS 1.3",
 			},
 			want: CNSConfig{
 				ChannelMode: "Other",
@@ -279,6 +282,7 @@ func TestSetCNSConfigDefaults(t *testing.T) {
 					IPAddress: "192.168.1.1",
 					Port:      9090,
 				},
+				MinTLSVersion: "TLS 1.3",
 			},
 		},
 	}
diff --git a/cns/configuration/testdata/good.json b/cns/configuration/testdata/good.json
@@ -34,5 +34,6 @@
     "WireserverIP": "168.63.129.16",
     "AZRSettings": {
         "PopulateHomeAzCacheRetryIntervalSecs": 60
-    }
+    },
+    "MinTLSVersion": "TLS 1.3"
 }
diff --git a/cns/service.go b/cns/service.go
@@ -28,6 +28,8 @@ const (
 	genericData          = "com.microsoft.azure.network.generic"
 )
 
+var errTLSConfig = errors.New("unsupported TLS version name from config")
+
 // Service defines Container Networking Service.
 type Service struct {
 	*common.Service
@@ -179,10 +181,14 @@ func getTLSConfigFromFile(tlsSettings localtls.TlsSettings) (*tls.Config, error)
 		PrivateKey:  privateKey,
 		Leaf:        leafCertificate,
 	}
+	minTLSVersionNumber, err := parseTLSVersionName(tlsSettings.MinTLSVersion)
+	if err != nil {
+		return nil, errors.Wrap(err, "parsing MinTLSVersion from config")
+	}
 
 	tlsConfig := &tls.Config{
 		MaxVersion: tls.VersionTLS13,
-		MinVersion: tls.VersionTLS12,
+		MinVersion: minTLSVersionNumber,
 		Certificates: []tls.Certificate{
 			tlsCert,
 		},
@@ -226,8 +232,13 @@ func getTLSConfigFromKeyVault(tlsSettings localtls.TlsSettings, errChan chan<- e
 		errChan <- cr.Refresh(ctx, tlsSettings.KeyVaultCertificateRefreshInterval)
 	}()
 
+	minTLSVersionNumber, err := parseTLSVersionName(tlsSettings.MinTLSVersion)
+	if err != nil {
+		return nil, errors.Wrap(err, "parsing MinTLSVersion from config")
+	}
+
 	tlsConfig := tls.Config{
-		MinVersion: tls.VersionTLS12,
+		MinVersion: minTLSVersionNumber,
 		MaxVersion: tls.VersionTLS13,
 		GetCertificate: func(_ *tls.ClientHelloInfo) (*tls.Certificate, error) {
 			return cr.GetCertificate(), nil
@@ -316,3 +327,16 @@ func (service *Service) SendErrorResponse(w http.ResponseWriter, errMsg error) {
 	err := acn.Encode(w, &resp)
 	logger.Errorf("[%s] %+v %s.", service.Name, &resp, err.Error())
 }
+
+// parseTLSVersionName returns the version number for the provided TLS version name
+// (e.g. 0x0301)
+func parseTLSVersionName(versionName string) (uint16, error) {
+	switch versionName {
+	case "TLS 1.2":
+		return tls.VersionTLS12, nil
+	case "TLS 1.3":
+		return tls.VersionTLS13, nil
+	default:
+		return 0, errors.Wrapf(errTLSConfig, "version name %s", versionName)
+	}
+}
diff --git a/cns/service/main.go b/cns/service/main.go
@@ -776,6 +776,7 @@ func main() {
 				MSIResourceID:                      cnsconfig.MSISettings.ResourceID,
 				KeyVaultCertificateRefreshInterval: time.Duration(cnsconfig.KeyVaultSettings.RefreshIntervalInHrs) * time.Hour,
 				UseMTLS:                            cnsconfig.UseMTLS,
+				MinTLSVersion:                      cnsconfig.MinTLSVersion,
 			}
 		}
 
diff --git a/cns/service_test.go b/cns/service_test.go
@@ -76,6 +76,7 @@ func TestNewService(t *testing.T) {
 			TLSPort:            "10091",
 			TLSSubjectName:     "localhost",
 			TLSCertificatePath: testCertFilePath,
+			MinTLSVersion:      "TLS 1.2",
 		}
 
 		svc, err := NewService(config.Name, config.Version, config.ChannelMode, config.Store)
@@ -94,10 +95,13 @@ func TestNewService(t *testing.T) {
 		err = svc.StartListener(config)
 		require.NoError(t, err)
 
+		minTLSVersionNumber, err := parseTLSVersionName(config.TLSSettings.MinTLSVersion)
+		require.NoError(t, err)
+
 		tlsClient := &http.Client{
 			Transport: &http.Transport{
 				TLSClientConfig: &tls.Config{
-					MinVersion: tls.VersionTLS12,
+					MinVersion: minTLSVersionNumber,
 					MaxVersion: tls.VersionTLS13,
 					ServerName: config.TLSSettings.TLSSubjectName,
 					// #nosec G402 for test purposes only
@@ -134,6 +138,7 @@ func TestNewService(t *testing.T) {
 			TLSSubjectName:     "localhost",
 			TLSCertificatePath: testCertFilePath,
 			UseMTLS:            true,
+			MinTLSVersion:      "TLS 1.2",
 		}
 
 		svc, err := NewService(config.Name, config.Version, config.ChannelMode, config.Store)
@@ -322,3 +327,31 @@ func createTestCertificate(t *testing.T) string {
 
 	return testCertFilePath
 }
+
+func TestTLSVersionNumber(t *testing.T) {
+	t.Run("unsupported ServerSettings.MinTLSVersion TLS 1.0", func(t *testing.T) {
+		versionNumber, err := parseTLSVersionName("TLS 1.0")
+		require.Equal(t, uint16(0), versionNumber)
+		require.Error(t, err)
+		require.ErrorContains(t, err, "unsupported TLS version name")
+	})
+
+	t.Run("unsupported ServerSettings.MinTLSVersion TLS 1.1", func(t *testing.T) {
+		versionNumber, err := parseTLSVersionName("TLS 1.1")
+		require.Equal(t, uint16(0), versionNumber)
+		require.Error(t, err)
+		require.ErrorContains(t, err, "unsupported TLS version name")
+	})
+	t.Run("unsupported ServerSettings.MinTLSVersion TLS 1.4", func(t *testing.T) {
+		versionNumber, err := parseTLSVersionName("TLS 1.4")
+		require.Equal(t, uint16(0), versionNumber)
+		require.Error(t, err)
+		require.ErrorContains(t, err, "unsupported TLS version name")
+	})
+
+	t.Run("valid ServerSettings.MinTLSVersion", func(t *testing.T) {
+		versionNumber, err := parseTLSVersionName("TLS 1.2")
+		require.Equal(t, uint16(tls.VersionTLS12), versionNumber)
+		require.NoError(t, err)
+	})
+}
diff --git a/server/tls/tlscertificate_retriever.go b/server/tls/tlscertificate_retriever.go
@@ -14,6 +14,7 @@ type TlsSettings struct {
 	MSIResourceID                      string
 	KeyVaultCertificateRefreshInterval time.Duration
 	UseMTLS                            bool
+	MinTLSVersion                      string
 }
 
 func GetTlsCertificateRetriever(settings TlsSettings) (TlsCertificateRetriever, error) {

Original file line number	Diff line number	Diff line change
`@@ -33,5 +33,6 @@`
`33`	`33`	`"MellanoxMonitorIntervalSecs": 30,`
`34`	`34`	`"AZRSettings": {`
`35`	`35`	`"PopulateHomeAzCacheRetryIntervalSecs": 60`
`36`		`- }`
	`36`	`+ },`
	`37`	`+ "MinTLSVersion": "TLS 1.2"`
`37`	`38`	`}`
Original file line number	Diff line number	Diff line change
`@@ -54,6 +54,7 @@ type CNSConfig struct {`
`54`	`54`	WatchPods bool `json:"-"`
`55`	`55`	`WireserverIP string`
`56`	`56`	`GRPCSettings GRPCSettings`
	`57`	`+ MinTLSVersion string`
`57`	`58`	`}`
`58`	`59`
`59`	`60`	`type TelemetrySettings struct {`
`@@ -229,6 +230,10 @@ func SetCNSConfigDefaults(config *CNSConfig) {`
`229`	`230`	`if config.GRPCSettings.Port == 0 {`
`230`	`231`	`config.GRPCSettings.Port = 8080`
`231`	`232`	`}`
	`233`	`+`
	`234`	`+ if config.MinTLSVersion == "" {`
	`235`	`+ config.MinTLSVersion = "TLS 1.2"`
	`236`	`+ }`
`232`	`237`	`config.GRPCSettings.Enable = false`
`233`	`238`	`config.WatchPods = config.EnableIPAMv2 \|\| config.EnableSwiftV2`
`234`	`239`	`}`
Original file line number	Diff line number	Diff line change
`@@ -34,5 +34,6 @@`
`34`	`34`	`"WireserverIP": "168.63.129.16",`
`35`	`35`	`"AZRSettings": {`
`36`	`36`	`"PopulateHomeAzCacheRetryIntervalSecs": 60`
`37`		`- }`
	`37`	`+ },`
	`38`	`+ "MinTLSVersion": "TLS 1.3"`
`38`	`39`	`}`
Original file line number	Diff line number	Diff line change
`@@ -776,6 +776,7 @@ func main() {`
`776`	`776`	`MSIResourceID: cnsconfig.MSISettings.ResourceID,`
`777`	`777`	`KeyVaultCertificateRefreshInterval: time.Duration(cnsconfig.KeyVaultSettings.RefreshIntervalInHrs) * time.Hour,`
`778`	`778`	`UseMTLS: cnsconfig.UseMTLS,`
	`779`	`+ MinTLSVersion: cnsconfig.MinTLSVersion,`
`779`	`780`	`}`
`780`	`781`	`}`
`781`	`782`
Original file line number	Diff line number	Diff line change
`@@ -14,6 +14,7 @@ type TlsSettings struct {`
`14`	`14`	`MSIResourceID string`
`15`	`15`	`KeyVaultCertificateRefreshInterval time.Duration`
`16`	`16`	`UseMTLS bool`
	`17`	`+ MinTLSVersion string`
`17`	`18`	`}`
`18`	`19`
`19`	`20`	`func GetTlsCertificateRetriever(settings TlsSettings) (TlsCertificateRetriever, error) {`