From 3a3c5d357ac821df1c1cb0bde1ba5fb10315dc87 Mon Sep 17 00:00:00 2001
From: Mike Grass <mgrass@salesforce.com>
Date: Wed, 12 May 2021 11:57:18 -0600
Subject: [PATCH] Deprecate old TLS versions and insecure ciphers by default
 (#31)

---
 pkg/injectionwebhook/config/config.go |  3 +++
 pkg/injectionwebhook/webhook.go       | 13 +++++++++++++
 2 files changed, 16 insertions(+)

diff --git a/pkg/injectionwebhook/config/config.go b/pkg/injectionwebhook/config/config.go
index c0e0b44..69ecb1d 100644
--- a/pkg/injectionwebhook/config/config.go
+++ b/pkg/injectionwebhook/config/config.go
@@ -24,6 +24,9 @@ type WebhookConfig struct {
 	SidecarConfigFile  string `long:"sidecar-config-file" required:"true" description:"file containing the sidecar container configuration"`
 	MutationConfigFile string `long:"mutation-config-file" required:"true" description:"file containing the mutation configuration"`
 	BuildInfoLabels    string `long:"build-info-labels" required:"false" description:"additional build info metric labels"`
+
+	// Flag to permit fallback to old, insecure TLS configurations.
+	AllowDeprecatedTLSConfig bool `long:"allow-deprecated-tls-config" required:"false" description:"permits use of deprecated TLS configuration (TLS 1.0/1.1, weak ciphers)"`
 }
 
 // NewWebhookConfig is a constructor for WebhookConfig
diff --git a/pkg/injectionwebhook/webhook.go b/pkg/injectionwebhook/webhook.go
index f323827..6f8fe01 100644
--- a/pkg/injectionwebhook/webhook.go
+++ b/pkg/injectionwebhook/webhook.go
@@ -274,6 +274,19 @@ func (whsvr *WebhookServer) Start() (chan bool, chan bool, error) {
 				return whsvr.certificateReloader.GetCertificate()
 			},
 		}
+		if !config.AllowDeprecatedTLSConfig {
+			tlsConfig.MinVersion = tls.VersionTLS12
+			tlsConfig.CipherSuites = []uint16{
+				tls.TLS_AES_256_GCM_SHA384,
+				tls.TLS_AES_128_GCM_SHA256,
+				tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+				tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+				tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+				tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			}
+			tlsConfig.PreferServerCipherSuites = true
+		}
+
 		if config.CaFilePath != "" {
 			caCert, err := ioutil.ReadFile(config.CaFilePath)
 			if err != nil {