Configure TLS

Author: everesio

README.md

@@ -64,67 +64,70 @@ See:
       kafka-proxy server [flags]
 
     Flags:
-          --auth-gateway-client-command string         Path to authentication plugin binary
-          --auth-gateway-client-enable                 Enable gateway client authentication
-          --auth-gateway-client-log-level string       Log level of the auth plugin (default "trace")
-          --auth-gateway-client-magic uint             Magic bytes sent in the handshake
-          --auth-gateway-client-method string          Authentication method
-          --auth-gateway-client-param stringArray      Authentication plugin parameter
-          --auth-gateway-client-timeout duration       Authentication timeout (default 10s)
-          --auth-gateway-server-command string         Path to authentication plugin binary
-          --auth-gateway-server-enable                 Enable proxy server authentication
-          --auth-gateway-server-log-level string       Log level of the auth plugin (default "trace")
-          --auth-gateway-server-magic uint             Magic bytes sent in the handshake
-          --auth-gateway-server-method string          Authentication method
-          --auth-gateway-server-param stringArray      Authentication plugin parameter
-          --auth-gateway-server-timeout duration       Authentication timeout (default 10s)
-          --auth-local-command string                  Path to authentication plugin binary
-          --auth-local-enable                          Enable local SASL/PLAIN authentication performed by listener - SASL handshake will not be passed to kafka brokers
-          --auth-local-log-level string                Log level of the auth plugin (default "trace")
-          --auth-local-param stringArray               Authentication plugin parameter
-          --auth-local-timeout duration                Authentication timeout (default 10s)
-          --bootstrap-server-mapping stringArray       Mapping of Kafka bootstrap server address to local address (host:port,host:port(,advhost:advport))
-          --debug-enable                               Enable Debug endpoint
-          --debug-listen-address string                Debug listen address (default "0.0.0.0:6060")
-          --default-listener-ip string                 Default listener IP (default "127.0.0.1")
-          --dynamic-listeners-disable                  Disable dynamic listeners.
-          --external-server-mapping stringArray        Mapping of Kafka server address to external address (host:port,host:port). A listener for the external address is not started
-          --forbidden-api-keys intSlice                Forbidden Kafka request types. The restriction should prevent some Kafka operations e.g. 20 - DeleteTopics
-      -h, --help                                       help for server
-          --http-disable                               Disable HTTP endpoints
-          --http-health-path string                    Path on which to health endpoint (default "/health")
-          --http-listen-address string                 Address that kafka-proxy is listening on (default "0.0.0.0:9080")
-          --http-metrics-path string                   Path on which to expose metrics (default "/metrics")
-          --kafka-client-id string                     An optional identifier to track the source of requests (default "kafka-proxy")
-          --kafka-connection-read-buffer-size int      Size of the operating system's receive buffer associated with the connection. If zero, system default is used
-          --kafka-connection-write-buffer-size int     Sets the size of the operating system's transmit buffer associated with the connection. If zero, system default is used
-          --kafka-dial-timeout duration                How long to wait for the initial connection (default 15s)
-          --kafka-keep-alive duration                  Keep alive period for an active network connection. If zero, keep-alives are disabled (default 1m0s)
-          --kafka-max-open-requests int                Maximal number of open requests pro tcp connection before sending on it blocks (default 256)
-          --kafka-read-timeout duration                How long to wait for a response (default 30s)
-          --kafka-write-timeout duration               How long to wait for a transmit (default 30s)
-          --log-format string                          Log format text or json (default "text")
-          --log-level string                           Log level debug, info, warning, error, fatal or panic (default "info")
-          --proxy-listener-ca-chain-cert-file string   PEM encoded CA's certificate file. If provided, client certificate is required and verified
-          --proxy-listener-cert-file string            PEM encoded file with server certificate
-          --proxy-listener-keep-alive duration         Keep alive period for an active network connection. If zero, keep-alives are disabled (default 1m0s)
-          --proxy-listener-key-file string             PEM encoded file with private key for the server certificate
-          --proxy-listener-key-password string         Password to decrypt rsa private key
-          --proxy-listener-read-buffer-size int        Size of the operating system's receive buffer associated with the connection. If zero, system default is used
-          --proxy-listener-tls-enable                  Whether or not to use TLS listener
-          --proxy-listener-write-buffer-size int       Sets the size of the operating system's transmit buffer associated with the connection. If zero, system default is used
-          --proxy-request-buffer-size int              Request buffer size pro tcp connection (default 4096)
-          --proxy-response-buffer-size int             Response buffer size pro tcp connection (default 4096)
-          --sasl-enable                                Connect using SASL/PLAIN
-          --sasl-jaas-config-file string               Location of JAAS config file with SASL username and password
-          --sasl-password string                       SASL user password
-          --sasl-username string                       SASL user name
-          --tls-ca-chain-cert-file string              PEM encoded CA's certificate file
-          --tls-client-cert-file string                PEM encoded file with client certificate
-          --tls-client-key-file string                 PEM encoded file with private key for the client certificate
-          --tls-client-key-password string             Password to decrypt rsa private key
-          --tls-enable                                 Whether or not to use TLS when connecting to the broker
-          --tls-insecure-skip-verify                   It controls whether a client verifies the server's certificate chain and host name
+          --auth-gateway-client-command string             Path to authentication plugin binary
+          --auth-gateway-client-enable                     Enable gateway client authentication
+          --auth-gateway-client-log-level string           Log level of the auth plugin (default "trace")
+          --auth-gateway-client-magic uint                 Magic bytes sent in the handshake
+          --auth-gateway-client-method string              Authentication method
+          --auth-gateway-client-param stringArray          Authentication plugin parameter
+          --auth-gateway-client-timeout duration           Authentication timeout (default 10s)
+          --auth-gateway-server-command string             Path to authentication plugin binary
+          --auth-gateway-server-enable                     Enable proxy server authentication
+          --auth-gateway-server-log-level string           Log level of the auth plugin (default "trace")
+          --auth-gateway-server-magic uint                 Magic bytes sent in the handshake
+          --auth-gateway-server-method string              Authentication method
+          --auth-gateway-server-param stringArray          Authentication plugin parameter
+          --auth-gateway-server-timeout duration           Authentication timeout (default 10s)
+          --auth-local-command string                      Path to authentication plugin binary
+          --auth-local-enable                              Enable local SASL/PLAIN authentication performed by listener - SASL handshake will not be passed to kafka brokers
+          --auth-local-log-level string                    Log level of the auth plugin (default "trace")
+          --auth-local-param stringArray                   Authentication plugin parameter
+          --auth-local-timeout duration                    Authentication timeout (default 10s)
+          --bootstrap-server-mapping stringArray           Mapping of Kafka bootstrap server address to local address (host:port,host:port(,advhost:advport))
+          --debug-enable                                   Enable Debug endpoint
+          --debug-listen-address string                    Debug listen address (default "0.0.0.0:6060")
+          --default-listener-ip string                     Default listener IP (default "127.0.0.1")
+          --dynamic-listeners-disable                      Disable dynamic listeners.
+          --external-server-mapping stringArray            Mapping of Kafka server address to external address (host:port,host:port). A listener for the external address is not started
+          --forbidden-api-keys intSlice                    Forbidden Kafka request types. The restriction should prevent some Kafka operations e.g. 20 - DeleteTopics
+      -h, --help                                           help for server
+          --http-disable                                   Disable HTTP endpoints
+          --http-health-path string                        Path on which to health endpoint (default "/health")
+          --http-listen-address string                     Address that kafka-proxy is listening on (default "0.0.0.0:9080")
+          --http-metrics-path string                       Path on which to expose metrics (default "/metrics")
+          --kafka-client-id string                         An optional identifier to track the source of requests (default "kafka-proxy")
+          --kafka-connection-read-buffer-size int          Size of the operating system's receive buffer associated with the connection. If zero, system default is used
+          --kafka-connection-write-buffer-size int         Sets the size of the operating system's transmit buffer associated with the connection. If zero, system default is used
+          --kafka-dial-timeout duration                    How long to wait for the initial connection (default 15s)
+          --kafka-keep-alive duration                      Keep alive period for an active network connection. If zero, keep-alives are disabled (default 1m0s)
+          --kafka-max-open-requests int                    Maximal number of open requests pro tcp connection before sending on it blocks (default 256)
+          --kafka-read-timeout duration                    How long to wait for a response (default 30s)
+          --kafka-write-timeout duration                   How long to wait for a transmit (default 30s)
+          --log-format string                              Log format text or json (default "text")
+          --log-level string                               Log level debug, info, warning, error, fatal or panic (default "info")
+          --proxy-listener-ca-chain-cert-file string       PEM encoded CA's certificate file. If provided, client certificate is required and verified
+          --proxy-listener-cert-file string                PEM encoded file with server certificate
+          --proxy-listener-cipher-suites stringSlice       List of supported cipher suites
+          --proxy-listener-curve-preferences stringSlice   List of curve preferences
+          --proxy-listener-keep-alive duration             Keep alive period for an active network connection. If zero, keep-alives are disabled (default 1m0s)
+          --proxy-listener-key-file string                 PEM encoded file with private key for the server certificate
+          --proxy-listener-key-password string             Password to decrypt rsa private key
+          --proxy-listener-read-buffer-size int            Size of the operating system's receive buffer associated with the connection. If zero, system default is used
+          --proxy-listener-tls-enable                      Whether or not to use TLS listener
+          --proxy-listener-write-buffer-size int           Sets the size of the operating system's transmit buffer associated with the connection. If zero, system default is used
+          --proxy-request-buffer-size int                  Request buffer size pro tcp connection (default 4096)
+          --proxy-response-buffer-size int                 Response buffer size pro tcp connection (default 4096)
+          --sasl-enable                                    Connect using SASL/PLAIN
+          --sasl-jaas-config-file string                   Location of JAAS config file with SASL username and password
+          --sasl-password string                           SASL user password
+          --sasl-username string                           SASL user name
+          --tls-ca-chain-cert-file string                  PEM encoded CA's certificate file
+          --tls-client-cert-file string                    PEM encoded file with client certificate
+          --tls-client-key-file string                     PEM encoded file with private key for the client certificate
+          --tls-client-key-password string                 Password to decrypt rsa private key
+          --tls-enable                                     Whether or not to use TLS when connecting to the broker
+          --tls-insecure-skip-verify                       It controls whether a client verifies the server's certificate chain and host name
+
 
 
 ### Usage example
@@ -317,7 +320,7 @@ spec:
   2. google-id method
 * [X] Registry for built-in plugins
 * [X] Client cert check
-* [ ] TLS server parameters like CipherSuites etc. - see ory/graceful/blob/master/http_defaults.go
+* [X] Set TLS server CipherSuites and CurvePreferences
 * [ ] Performance tests and tuning
 * [ ] Socket buffer sizing e.g. SO_RCVBUF = 32768, SO_SNDBUF = 131072
 * [ ] Kafka connect tests

cmd/kafka-proxy/server.go

@@ -82,6 +82,8 @@ func init() {
 	Server.Flags().StringVar(&c.Proxy.TLS.ListenerKeyFile, "proxy-listener-key-file", "", "PEM encoded file with private key for the server certificate")
 	Server.Flags().StringVar(&c.Proxy.TLS.ListenerKeyPassword, "proxy-listener-key-password", "", "Password to decrypt rsa private key")
 	Server.Flags().StringVar(&c.Proxy.TLS.CAChainCertFile, "proxy-listener-ca-chain-cert-file", "", "PEM encoded CA's certificate file. If provided, client certificate is required and verified")
+	Server.Flags().StringSliceVar(&c.Proxy.TLS.ListenerCipherSuites, "proxy-listener-cipher-suites", []string{}, "List of supported cipher suites")
+	Server.Flags().StringSliceVar(&c.Proxy.TLS.ListenerCurvePreferences, "proxy-listener-curve-preferences", []string{}, "List of curve preferences")
 
 	// local authentication plugin
 	Server.Flags().BoolVar(&c.Auth.Local.Enable, "auth-local-enable", false, "Enable local SASL/PLAIN authentication performed by listener - SASL handshake will not be passed to kafka brokers")

config/config.go

@@ -52,11 +52,13 @@ type Config struct {
 		ListenerKeepAlive       time.Duration
 
 		TLS struct {
-			Enable              bool
-			ListenerCertFile    string
-			ListenerKeyFile     string
-			ListenerKeyPassword string
-			CAChainCertFile     string
+			Enable                   bool
+			ListenerCertFile         string
+			ListenerKeyFile          string
+			ListenerKeyPassword      string
+			CAChainCertFile          string
+			ListenerCipherSuites     []string
+			ListenerCurvePreferences []string
 		}
 	}
 	Auth struct {

proxy/tls.go

@@ -7,6 +7,47 @@ import (
 	"github.com/grepplabs/kafka-proxy/config"
 	"github.com/pkg/errors"
 	"io/ioutil"
+	"strings"
+)
+
+var (
+	defaultCurvePreferences = []tls.CurveID{
+		tls.CurveP256,
+		tls.X25519,
+	}
+
+	supportedCurvesMap = map[string]tls.CurveID{
+		"X25519": tls.X25519,
+		"P256":   tls.CurveP256,
+		"P384":   tls.CurveP384,
+		"P521":   tls.CurveP521,
+	}
+
+	defaultCipherSuites = []uint16{
+		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+		tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+	}
+	// https://github.com/mholt/caddy/blob/master/caddytls/config.go
+	supportedCiphersMap = map[string]uint16{
+		"ECDHE-ECDSA-AES256-GCM-SHA384":      tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+		"ECDHE-RSA-AES256-GCM-SHA384":        tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+		"ECDHE-ECDSA-AES128-GCM-SHA256":      tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+		"ECDHE-RSA-AES128-GCM-SHA256":        tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+		"ECDHE-ECDSA-WITH-CHACHA20-POLY1305": tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+		"ECDHE-RSA-WITH-CHACHA20-POLY1305":   tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+		"ECDHE-RSA-AES256-CBC-SHA":           tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+		"ECDHE-RSA-AES128-CBC-SHA":           tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+		"ECDHE-ECDSA-AES256-CBC-SHA":         tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+		"ECDHE-ECDSA-AES128-CBC-SHA":         tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+		"RSA-AES256-CBC-SHA":                 tls.TLS_RSA_WITH_AES_256_CBC_SHA,
+		"RSA-AES128-CBC-SHA":                 tls.TLS_RSA_WITH_AES_128_CBC_SHA,
+		"ECDHE-RSA-3DES-EDE-CBC-SHA":         tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+		"RSA-3DES-EDE-CBC-SHA":               tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+	}
 )
 
 func newTLSListenerConfig(conf *config.Config) (*tls.Config, error) {
@@ -31,9 +72,22 @@ func newTLSListenerConfig(conf *config.Config) (*tls.Config, error) {
 	if err != nil {
 		return nil, err
 	}
+	cipherSuites, err := getCipherSuites(opts.ListenerCipherSuites)
+	if err != nil {
+		return nil, err
+	}
+	curvePreferences, err := getCurvePreferences(opts.ListenerCurvePreferences)
+	if err != nil {
+		return nil, err
+	}
+
 	cfg := &tls.Config{
-		Certificates: []tls.Certificate{cert},
-		ClientAuth:   tls.NoClientCert,
+		Certificates:             []tls.Certificate{cert},
+		ClientAuth:               tls.NoClientCert,
+		PreferServerCipherSuites: true,
+		MinVersion:               tls.VersionTLS12,
+		CurvePreferences:         curvePreferences,
+		CipherSuites:             cipherSuites,
 	}
 	if opts.CAChainCertFile != "" {
 		caCertPEMBlock, err := ioutil.ReadFile(opts.CAChainCertFile)
@@ -50,7 +104,38 @@ func newTLSListenerConfig(conf *config.Config) (*tls.Config, error) {
 	return cfg, nil
 }
 
+func getCipherSuites(enabledCipherSuites []string) ([]uint16, error) {
+	suites := make([]uint16, 0)
+	for _, suite := range enabledCipherSuites {
+		cipher, ok := supportedCiphersMap[strings.TrimSpace(suite)]
+		if !ok {
+			return nil, errors.Errorf("invalid cipher suite '%s' selected", suite)
+		}
+		suites = append(suites, cipher)
+	}
+	if len(suites) == 0 {
+		return defaultCipherSuites, nil
+	}
+	return suites, nil
+}
+
+func getCurvePreferences(enabledCurvePreferences []string) ([]tls.CurveID, error) {
+	curvePreferences := make([]tls.CurveID, 0)
+	for _, curveID := range enabledCurvePreferences {
+		curvePreference, ok := supportedCurvesMap[strings.TrimSpace(curveID)]
+		if !ok {
+			return nil, errors.Errorf("invalid curveID '%s' selected", curveID)
+		}
+		curvePreferences = append(curvePreferences, curvePreference)
+	}
+	if len(curvePreferences) == 0 {
+		return defaultCurvePreferences, nil
+	}
+	return curvePreferences, nil
+}
+
 func newTLSClientConfig(conf *config.Config) (*tls.Config, error) {
+	// https://blog.cloudflare.com/exposing-go-on-the-internet/
 	opts := conf.Kafka.TLS
 
 	cfg := &tls.Config{InsecureSkipVerify: opts.InsecureSkipVerify}