Граф коммитов

2 Коммитов

Автор SHA1 Сообщение Дата
Phil Estes 9b43f5a3a1 Split client and server cipher suite list in TLS defaults
Per @ewindisch, removing the CBC ciphers from the client preferred TLS
cipher suites.  This will allow a future version of the server to also
remove the CBC ciphers from the accepted list.

This changes the server default to client + additional CBC cipher list,
and client default to the non-CBC ciphers.

Also, cipher order preference is modified so that best and highest-bit count
ciphers are most preferred.

Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
2015-06-11 14:00:31 -04:00
Tibor Vass bfed4b7cc3 Refactor TLS code with a new `tlsconfig` package
This patch creates a new `tlsconfig` package to handle creation of
secure-enough TLS configurations for clients and servers.

The package was created by refactoring TLS code in the client and the
daemon. After this patch, it is expected that all code creating TLS
configurations use this `tlsconfig` package for greater security,
consistency and readability.

On the server side, this fixes a bug where --tlsverify was not taken
into account. Now, if specified, it will require the client to
authenticate.

Signed-off-by: Tibor Vass <tibor@docker.com>
2015-06-05 12:38:38 -04:00