Merge pull request #142 from ormergi/allow-insecure-ciphers

webhook server,tls: Allow using insecure ciphers and ciphers suites when tls-min-version is 1.3

Author: kubevirt-bot

cmd/main.go

@@ -88,7 +88,10 @@ func main() {
 		"Supported values are tls package constants names (e.g. VersionTLS13), please see "+
 		"https://pkg.go.dev/crypto/tls#pkg-constants")
 	flag.StringVar(&tlsCipherSuitesRaw, "tls-cipher-suites", "",
-		"Comma-separated list of TLS cipher suite names (OpenSSL names. E.g: TLS_AES_128_GCM_SHA256).")
+		"Comma-separated list of TLS cipher suite names."+
+			"Supported values are tls package constants names (e.g. TLS_AES_128_GCM_SHA256), please see "+
+			"https://pkg.go.dev/crypto/tls#pkg-constants"+
+			"When 'min-tls-version' is 'VersionTLS13', cipher suites are selected by the runtime.")
 	flag.StringVar(&tlsCurvePreferencesRaw, "tls-curve-preferences", "",
 		"Comma-separated list of TLS curve preference names. "+
 			"Supported values are tls package constants names (e.g. CurveP256), please see "+

pkg/config/tls.go

@@ -68,12 +68,6 @@ func ParseTLSOptions(
 	}
 
 	cipherSuiteNames := parseStringSlice(tlsCipherSuitesRaw)
-	if err := validateSafeCipherSuite(cipherSuiteNames); err != nil {
-		return nil, err
-	}
-	if err := validateTLSVersionConfigurableCiphers(tlsMinVersion, cipherSuiteNames); err != nil {
-		return nil, err
-	}
 	cipherSuiteIDs, err := toCipherSuiteIDs(cipherSuiteNames)
 	if err != nil {
 		return nil, err
@@ -110,22 +104,6 @@ func toTLSVersion(tlsVersionName string) (uint16, error) {
 	return tlsVersion, nil
 }
 
-func validateSafeCipherSuite(cipherSuiteNames []string) error {
-	for _, cipherSuiteName := range cipherSuiteNames {
-		if _, exist := indexedInsecureCipherSuiteNames[cipherSuiteName]; exist {
-			return fmt.Errorf("using insecure cipher suite %q is not allowed", cipherSuiteName)
-		}
-	}
-	return nil
-}
-
-func validateTLSVersionConfigurableCiphers(versionID uint16, cipherSuiteNames []string) error {
-	if versionID == tls.VersionTLS13 && len(cipherSuiteNames) > 0 {
-		return fmt.Errorf("configuring cipher suites for TLS 1.3 is not allowed")
-	}
-	return nil
-}
-
 func toCipherSuiteIDs(cipherSuiteNames []string) ([]uint16, error) {
 	ids, err := getValuesByKeys(tlsCipherSuiteIDByName, cipherSuiteNames)
 	if err != nil {

pkg/config/tls_test.go

@@ -65,19 +65,6 @@ var _ = Describe("ParseTLSOptions", func() {
 				ciphers:    "TLS_AES_128_GCM_SHA256",
 			},
 		),
-		Entry("cipher suites are specified and minimal version is 1.3",
-			flags{
-				minVersion: "VersionTLS13",
-				ciphers:    "TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384",
-			},
-		),
-		Entry("insecure cipher suite is specified",
-			flags{
-				minVersion: "VersionTLS12",
-				// TLS_RSA_WITH_AES_128_CBC_SHA256 is insecure cipher suite for TLS 1.2
-				ciphers: "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256",
-			},
-		),
 	)
 
 	DescribeTable("should succeed, given",