expose MinTLSVersion config for TLS handshake (#3103)

* expose MinTLSVersion config * address comment * use valid TLS version in config test
2024-11-12 12:50:09 -08:00 · 2024-11-12 12:50:09 -08:00 · 9b43fb7f8d
--- a/cns/configuration/cns_config.json
+++ b/cns/configuration/cns_config.json
@ -33,5 +33,6 @@
    "MellanoxMonitorIntervalSecs": 30,
    "AZRSettings": {
        "PopulateHomeAzCacheRetryIntervalSecs": 60
-    }
+    },
+    "MinTLSVersion": "TLS 1.2"
 }
--- a/cns/configuration/configuration.go
+++ b/cns/configuration/configuration.go
@ -54,6 +54,7 @@ type CNSConfig struct {
 	WatchPods                   bool `json:"-"`
 	WireserverIP                string
 	GRPCSettings                GRPCSettings
+	MinTLSVersion               string
 }

 type TelemetrySettings struct {
@ -229,6 +230,10 @@ func SetCNSConfigDefaults(config *CNSConfig) {
 	if config.GRPCSettings.Port == 0 {
 		config.GRPCSettings.Port = 8080
 	}
+
+	if config.MinTLSVersion == "" {
+		config.MinTLSVersion = "TLS 1.2"
+	}
 	config.GRPCSettings.Enable = false
 	config.WatchPods = config.EnableIPAMv2 || config.EnableSwiftV2
 }
--- a/cns/configuration/configuration_test.go
+++ b/cns/configuration/configuration_test.go
@ -89,6 +89,7 @@ func TestReadConfigFromFile(t *testing.T) {
 				UseHTTPS:      true,
 				UseMTLS:       true,
 				WireserverIP:  "168.63.129.16",
+				MinTLSVersion: "TLS 1.3",
 			},
 			wantErr: false,
 		},
@ -220,6 +221,7 @@ func TestSetCNSConfigDefaults(t *testing.T) {
 					IPAddress: "localhost",
 					Port:      8080,
 				},
+				MinTLSVersion: "TLS 1.2",
 			},
 		},
 		{
@ -250,6 +252,7 @@ func TestSetCNSConfigDefaults(t *testing.T) {
 					IPAddress: "192.168.1.1",
 					Port:      9090,
 				},
+				MinTLSVersion: "TLS 1.3",
 			},
 			want: CNSConfig{
 				ChannelMode: "Other",
@ -279,6 +282,7 @@ func TestSetCNSConfigDefaults(t *testing.T) {
 					IPAddress: "192.168.1.1",
 					Port:      9090,
 				},
+				MinTLSVersion: "TLS 1.3",
 			},
 		},
 	}
--- a/cns/configuration/testdata/good.json
+++ b/cns/configuration/testdata/good.json
@ -34,5 +34,6 @@
    "WireserverIP": "168.63.129.16",
    "AZRSettings": {
        "PopulateHomeAzCacheRetryIntervalSecs": 60
-    }
+    },
+    "MinTLSVersion": "TLS 1.3"
 }
--- a/cns/service.go
+++ b/cns/service.go
@ -28,6 +28,8 @@ const (
 	genericData          = "com.microsoft.azure.network.generic"
 )

+var errTLSConfig = errors.New("unsupported TLS version name from config")
+
 // Service defines Container Networking Service.
 type Service struct {
 	*common.Service
@ -179,10 +181,14 @@ func getTLSConfigFromFile(tlsSettings localtls.TlsSettings) (*tls.Config, error)
 		PrivateKey:  privateKey,
 		Leaf:        leafCertificate,
 	}
+	minTLSVersionNumber, err := parseTLSVersionName(tlsSettings.MinTLSVersion)
+	if err != nil {
+		return nil, errors.Wrap(err, "parsing MinTLSVersion from config")
+	}

 	tlsConfig := &tls.Config{
 		MaxVersion: tls.VersionTLS13,
-		MinVersion: tls.VersionTLS12,
+		MinVersion: minTLSVersionNumber,
 		Certificates: []tls.Certificate{
 			tlsCert,
 		},
@ -226,8 +232,13 @@ func getTLSConfigFromKeyVault(tlsSettings localtls.TlsSettings, errChan chan<- e
 		errChan <- cr.Refresh(ctx, tlsSettings.KeyVaultCertificateRefreshInterval)
 	}()

+	minTLSVersionNumber, err := parseTLSVersionName(tlsSettings.MinTLSVersion)
+	if err != nil {
+		return nil, errors.Wrap(err, "parsing MinTLSVersion from config")
+	}
+
 	tlsConfig := tls.Config{
-		MinVersion: tls.VersionTLS12,
+		MinVersion: minTLSVersionNumber,
 		MaxVersion: tls.VersionTLS13,
 		GetCertificate: func(_ *tls.ClientHelloInfo) (*tls.Certificate, error) {
 			return cr.GetCertificate(), nil
@ -316,3 +327,16 @@ func (service *Service) SendErrorResponse(w http.ResponseWriter, errMsg error) {
 	err := acn.Encode(w, &resp)
 	logger.Errorf("[%s] %+v %s.", service.Name, &resp, err.Error())
 }
+
+// parseTLSVersionName returns the version number for the provided TLS version name
+// (e.g. 0x0301)
+func parseTLSVersionName(versionName string) (uint16, error) {
+	switch versionName {
+	case "TLS 1.2":
+		return tls.VersionTLS12, nil
+	case "TLS 1.3":
+		return tls.VersionTLS13, nil
+	default:
+		return 0, errors.Wrapf(errTLSConfig, "version name %s", versionName)
+	}
+}
--- a/cns/service/main.go
+++ b/cns/service/main.go
@ -776,6 +776,7 @@ func main() {
 				MSIResourceID:                      cnsconfig.MSISettings.ResourceID,
 				KeyVaultCertificateRefreshInterval: time.Duration(cnsconfig.KeyVaultSettings.RefreshIntervalInHrs) * time.Hour,
 				UseMTLS:                            cnsconfig.UseMTLS,
+				MinTLSVersion:                      cnsconfig.MinTLSVersion,
 			}
 		}

--- a/cns/service_test.go
+++ b/cns/service_test.go
@ -76,6 +76,7 @@ func TestNewService(t *testing.T) {
 			TLSPort:            "10091",
 			TLSSubjectName:     "localhost",
 			TLSCertificatePath: testCertFilePath,
+			MinTLSVersion:      "TLS 1.2",
 		}

 		svc, err := NewService(config.Name, config.Version, config.ChannelMode, config.Store)
@ -94,10 +95,13 @@ func TestNewService(t *testing.T) {
 		err = svc.StartListener(config)
 		require.NoError(t, err)

+		minTLSVersionNumber, err := parseTLSVersionName(config.TLSSettings.MinTLSVersion)
+		require.NoError(t, err)
+
 		tlsClient := &http.Client{
 			Transport: &http.Transport{
 				TLSClientConfig: &tls.Config{
-					MinVersion: tls.VersionTLS12,
+					MinVersion: minTLSVersionNumber,
 					MaxVersion: tls.VersionTLS13,
 					ServerName: config.TLSSettings.TLSSubjectName,
 					// #nosec G402 for test purposes only
@ -134,6 +138,7 @@ func TestNewService(t *testing.T) {
 			TLSSubjectName:     "localhost",
 			TLSCertificatePath: testCertFilePath,
 			UseMTLS:            true,
+			MinTLSVersion:      "TLS 1.2",
 		}

 		svc, err := NewService(config.Name, config.Version, config.ChannelMode, config.Store)
@ -322,3 +327,31 @@ func createTestCertificate(t *testing.T) string {

 	return testCertFilePath
 }
+
+func TestTLSVersionNumber(t *testing.T) {
+	t.Run("unsupported ServerSettings.MinTLSVersion TLS 1.0", func(t *testing.T) {
+		versionNumber, err := parseTLSVersionName("TLS 1.0")
+		require.Equal(t, uint16(0), versionNumber)
+		require.Error(t, err)
+		require.ErrorContains(t, err, "unsupported TLS version name")
+	})
+
+	t.Run("unsupported ServerSettings.MinTLSVersion TLS 1.1", func(t *testing.T) {
+		versionNumber, err := parseTLSVersionName("TLS 1.1")
+		require.Equal(t, uint16(0), versionNumber)
+		require.Error(t, err)
+		require.ErrorContains(t, err, "unsupported TLS version name")
+	})
+	t.Run("unsupported ServerSettings.MinTLSVersion TLS 1.4", func(t *testing.T) {
+		versionNumber, err := parseTLSVersionName("TLS 1.4")
+		require.Equal(t, uint16(0), versionNumber)
+		require.Error(t, err)
+		require.ErrorContains(t, err, "unsupported TLS version name")
+	})
+
+	t.Run("valid ServerSettings.MinTLSVersion", func(t *testing.T) {
+		versionNumber, err := parseTLSVersionName("TLS 1.2")
+		require.Equal(t, uint16(tls.VersionTLS12), versionNumber)
+		require.NoError(t, err)
+	})
+}
--- a/server/tls/tlscertificate_retriever.go
+++ b/server/tls/tlscertificate_retriever.go
@ -14,6 +14,7 @@ type TlsSettings struct {
 	MSIResourceID                      string
 	KeyVaultCertificateRefreshInterval time.Duration
 	UseMTLS                            bool
+	MinTLSVersion                      string
 }

 func GetTlsCertificateRetriever(settings TlsSettings) (TlsCertificateRetriever, error) {