Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

fix CVE-2016-2183 (#5844) 

* fix CVE-2016-2183

* allow tls.min_version and tls.max_version not set
pull/5846/head
zuzuviewer 5 months ago
committed by GitHub
parent
4fee496b49
commit
5ee50d26d8
No known key found for this signature in database GPG Key ID: B5690EEEBB952194
2 changed files with 80 additions and 6 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 4
      weed/command/s3.go
  2. 82
      weed/security/tls.go

4
weed/command/s3.go
View File

@ -328,6 +328,10 @@ func (s3opt *S3Options) startS3Server() bool {
ClientAuth: clientAuth,
ClientCAs: caCertPool,
}
err = security.FixTlsConfig(util.GetViper(), httpS.TLSConfig)
if err != nil {
glog.Fatalf("error with tls config: %v", err)
}
if *s3opt.portHttps == 0 {
glog.V(0).Infof("Start Seaweed S3 API Server %s at https port %d", util.Version(), *s3opt.port)
if s3ApiLocalListener != nil {

82
weed/security/tls.go
View File

@ -4,16 +4,17 @@ import (
"crypto/tls"
"crypto/x509"
"fmt"
"google.golang.org/grpc/credentials/insecure"
"google.golang.org/grpc/credentials/tls/certprovider/pemfile"
"google.golang.org/grpc/security/advancedtls"
"os"
"slices"
"strings"
"time"
"github.com/seaweedfs/seaweedfs/weed/glog"
"github.com/seaweedfs/seaweedfs/weed/util"
"google.golang.org/grpc"
"google.golang.org/grpc/credentials/insecure"
"google.golang.org/grpc/credentials/tls/certprovider/pemfile"
"google.golang.org/grpc/security/advancedtls"
)
const CredRefreshingInterval = time.Duration(5) * time.Hour
@ -62,7 +63,22 @@ func LoadServerTLS(config *util.ViperProxy, component string) (grpc.ServerOption
RootProvider: serverRootProvider,
},
RequireClientCert: true,
VerificationType: advancedtls.CertVerification,
VerificationType: advancedtls.CertVerification,
}
options.MinTLSVersion, err = TlsVersionByName(config.GetString("tls.min_version"))
if err != nil {
glog.Warningf("tls min version parse failed, %v", err)
return nil, nil
}
options.MaxTLSVersion, err = TlsVersionByName(config.GetString("tls.max_version"))
if err != nil {
glog.Warningf("tls max version parse failed, %v", err)
return nil, nil
}
options.CipherSuites, err = TlsCipherSuiteByNames(config.GetString("tls.cipher_suites"))
if err != nil {
glog.Warningf("tls cipher suite parse failed, %v", err)
return nil, nil
}
allowedCommonNames := config.GetString(component + ".allowed_commonNames")
allowedWildcardDomain := config.GetString("grpc.allowed_wildcard_domain")
@ -123,8 +139,8 @@ func LoadClientTLS(config *util.ViperProxy, component string) grpc.DialOption {
IdentityProvider: clientProvider,
},
AdditionalPeerVerification: func(params *advancedtls.HandshakeVerificationInfo) (*advancedtls.PostHandshakeVerificationResults, error) {
return &advancedtls.PostHandshakeVerificationResults{}, nil
},
return &advancedtls.PostHandshakeVerificationResults{}, nil
},
RootOptions: advancedtls.RootCertificateOptions{
RootProvider: clientRootProvider,
},
@ -166,3 +182,57 @@ func (a Authenticator) Authenticate(params *advancedtls.HandshakeVerificationInf
glog.Error(err)
return nil, err
}
func FixTlsConfig(viper *util.ViperProxy, config *tls.Config) error {
var err error
config.MinVersion, err = TlsVersionByName(viper.GetString("tls.min_version"))
if err != nil {
return err
}
config.MaxVersion, err = TlsVersionByName(viper.GetString("tls.max_version"))
if err != nil {
return err
}
config.CipherSuites, err = TlsCipherSuiteByNames(viper.GetString("tls.cipher_suites"))
return err
}
func TlsVersionByName(name string) (uint16, error) {
switch name {
case "":
return 0, nil
case "SSLv3":
return tls.VersionSSL30, nil
case "TLS 1.0":
return tls.VersionTLS10, nil
case "TLS 1.1":
return tls.VersionTLS11, nil
case "TLS 1.2":
return tls.VersionTLS12, nil
case "TLS 1.3":
return tls.VersionTLS13, nil
default:
return 0, fmt.Errorf("invalid tls version %s", name)
}
}
func TlsCipherSuiteByNames(cipherSuiteNames string) ([]uint16, error) {
cipherSuiteNames = strings.TrimSpace(cipherSuiteNames)
if cipherSuiteNames == "" {
return nil, nil
}
names := strings.Split(cipherSuiteNames, ",")
cipherSuites := tls.CipherSuites()
cipherIds := make([]uint16, 0, len(names))
for _, name := range names {
name = strings.TrimSpace(name)
index := slices.IndexFunc(cipherSuites, func(suite *tls.CipherSuite) bool {
return name == suite.Name
})
if index == -1 {
return nil, fmt.Errorf("invalid tls cipher suite name %s", name)
}
cipherIds = append(cipherIds, cipherSuites[index].ID)
}
return cipherIds, nil
}
Write Preview
Loading…
Cancel
Save