Deprecate old TLS versions and insecure ciphers by default (#31)

salesforce · May 12, 2021 · 3a3c5d3 · 3a3c5d3
1 parent 2679362
commit 3a3c5d3
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/pkg/injectionwebhook/config/config.go b/pkg/injectionwebhook/config/config.go
@@ -24,6 +24,9 @@ type WebhookConfig struct {
 	SidecarConfigFile  string `long:"sidecar-config-file" required:"true" description:"file containing the sidecar container configuration"`
 	MutationConfigFile string `long:"mutation-config-file" required:"true" description:"file containing the mutation configuration"`
 	BuildInfoLabels    string `long:"build-info-labels" required:"false" description:"additional build info metric labels"`
+
+	// Flag to permit fallback to old, insecure TLS configurations.
+	AllowDeprecatedTLSConfig bool `long:"allow-deprecated-tls-config" required:"false" description:"permits use of deprecated TLS configuration (TLS 1.0/1.1, weak ciphers)"`
 }
 
 // NewWebhookConfig is a constructor for WebhookConfig

diff --git a/pkg/injectionwebhook/webhook.go b/pkg/injectionwebhook/webhook.go
@@ -274,6 +274,19 @@ func (whsvr *WebhookServer) Start() (chan bool, chan bool, error) {
 				return whsvr.certificateReloader.GetCertificate()
 			},
 		}
+		if !config.AllowDeprecatedTLSConfig {
+			tlsConfig.MinVersion = tls.VersionTLS12
+			tlsConfig.CipherSuites = []uint16{
+				tls.TLS_AES_256_GCM_SHA384,
+				tls.TLS_AES_128_GCM_SHA256,
+				tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+				tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+				tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+				tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			}
+			tlsConfig.PreferServerCipherSuites = true
+		}
+
 		if config.CaFilePath != "" {
 			caCert, err := ioutil.ReadFile(config.CaFilePath)
 			if err != nil {