Merge pull request #1392 from stevendanna/tls-configuration

Bump minimum TLS protocol to TLSv1.2

Merge pull request #1392 from stevendanna/tls-configuration
Bump minimum TLS protocol to TLSv1.2
81f15588 · Stephan Renatus · GitHub · 5ae09420 · 59f8b02d · 81f15588
Unverified Commit 81f15588 authored Jan 29, 2019 by Stephan Renatus Committed by GitHub Jan 29, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 28 additions and 19 deletions

serve.go cmd/dex/serve.go +28 -19

No files found.
--- a/cmd/dex/serve.go
+++ b/cmd/dex/serve.go
@@ -116,13 +116,19 @@ func serve(cmd *cobra.Command, args []string) error {
 	var grpcOptions []grpc.ServerOption

 	if c.GRPC.TLSCert != "" {
-		if c.GRPC.TLSClientCA != "" {
-			// Parse certificates from certificate file and key file for server.
-			cert, err := tls.LoadX509KeyPair(c.GRPC.TLSCert, c.GRPC.TLSKey)
-			if err != nil {
-				return fmt.Errorf("invalid config: error parsing gRPC certificate file: %v", err)
-			}
+		// Parse certificates from certificate file and key file for server.
+		cert, err := tls.LoadX509KeyPair(c.GRPC.TLSCert, c.GRPC.TLSKey)
+		if err != nil {
+			return fmt.Errorf("invalid config: error parsing gRPC certificate file: %v", err)
+		}
+
+		tlsConfig := tls.Config{
+			Certificates:             []tls.Certificate{cert},
+			MinVersion:               tls.VersionTLS12,
+			PreferServerCipherSuites: true,
+		}

+		if c.GRPC.TLSClientCA != "" {
 			// Parse certificates from client CA file to a new CertPool.
 			cPool := x509.NewCertPool()
 			clientCert, err := ioutil.ReadFile(c.GRPC.TLSClientCA)
@@ -133,23 +139,17 @@ func serve(cmd *cobra.Command, args []string) error {
 				return errors.New("invalid config: failed to parse client CA")
 			}

-			tlsConfig := tls.Config{
-				Certificates: []tls.Certificate{cert},
-				ClientAuth:   tls.RequireAndVerifyClientCert,
-				ClientCAs:    cPool,
-			}
+			tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
+			tlsConfig.ClientCAs = cPool
+
+			// Only add metrics if client auth is enabled
 			grpcOptions = append(grpcOptions,
-				grpc.Creds(credentials.NewTLS(&tlsConfig)),
 				grpc.StreamInterceptor(grpcMetrics.StreamServerInterceptor()),
 				grpc.UnaryInterceptor(grpcMetrics.UnaryServerInterceptor()),
 			)
-		} else {
-			opt, err := credentials.NewServerTLSFromFile(c.GRPC.TLSCert, c.GRPC.TLSKey)
-			if err != nil {
-				return fmt.Errorf("invalid config: load grpc certs: %v", err)
-			}
-			grpcOptions = append(grpcOptions, grpc.Creds(opt))
 		}
+
+		grpcOptions = append(grpcOptions, grpc.Creds(credentials.NewTLS(&tlsConfig)))
 	}

 	s, err := c.Storage.Config.Open(logger)
@@ -275,9 +275,18 @@ func serve(cmd *cobra.Command, args []string) error {
 		}()
 	}
 	if c.Web.HTTPS != "" {
+		httpsSrv := &http.Server{
+			Addr:    c.Web.HTTPS,
+			Handler: serv,
+			TLSConfig: &tls.Config{
+				PreferServerCipherSuites: true,
+				MinVersion:               tls.VersionTLS12,
+			},
+		}
+
 		logger.Infof("listening (https) on %s", c.Web.HTTPS)
 		go func() {
-			err := http.ListenAndServeTLS(c.Web.HTTPS, c.Web.TLSCert, c.Web.TLSKey, serv)
+			err = httpsSrv.ListenAndServeTLS(c.Web.TLSCert, c.Web.TLSKey)
 			errc <- fmt.Errorf("listening on %s failed: %v", c.Web.HTTPS, err)
 		}()
 	}