cmd/skipper: allow exclusion of insecure cipher suites

Golang maintains a list of cipher suites considered insecure, which are still allowed if requested. This flag will allow those cipher suites to be completely excluded.
zalando · Jun 21, 2024 · 3f15358 · 3f15358
1 parent 9bf19e4
commit 3f15358
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 0 deletions.
diff --git a/config/config.go b/config/config.go
@@ -219,6 +219,9 @@ type Config struct {
 	// TLS version
 	TLSMinVersion string `yaml:"tls-min-version"`
 
+	// Exclude insecure cipher suites
+	ExcludeInsecureCipherSuites bool `yaml:"exclude-insecure-cipher-suites"`
+
 	// TLS Config
 	KubernetesEnableTLS bool `yaml:"kubernetes-enable-tls"`
 
@@ -517,6 +520,9 @@ func NewConfig() *Config {
 	// TLS version
 	flag.StringVar(&cfg.TLSMinVersion, "tls-min-version", defaultMinTLSVersion, "minimal TLS Version to be used in server, proxy and client connections")
 
+	// Exclude insecure cipher suites
+	flag.BoolVar(&cfg.ExcludeInsecureCipherSuites, "exclude-insecure-cipher-suites", false, "excludes insecure cipher suites")
+
 	// API Monitoring:
 	flag.BoolVar(&cfg.ApiUsageMonitoringEnable, "enable-api-usage-monitoring", false, "enables the apiUsageMonitoring filter")
 	flag.StringVar(&cfg.ApiUsageMonitoringRealmKeys, "api-usage-monitoring-realm-keys", "", "name of the property in the JWT payload that contains the authority realm")
@@ -715,6 +721,7 @@ func (c *Config) ToOptions() skipper.Options {
 		DebugListener:             c.DebugListener,
 		CertPathTLS:               c.CertPathTLS,
 		KeyPathTLS:                c.KeyPathTLS,
+		CipherSuites:              c.filterCipherSuites(),
 		MaxLoopbacks:              c.MaxLoopbacks,
 		DefaultHTTPStatus:         c.DefaultHTTPStatus,
 		ReverseSourcePredicate:    c.ReverseSourcePredicate,
@@ -1031,6 +1038,19 @@ func (c *Config) getMinTLSVersion() uint16 {
 	return tlsVersionTable[defaultMinTLSVersion]
 }
 
+func (c *Config) filterCipherSuites() []uint16 {
+	if c.ExcludeInsecureCipherSuites == false {
+		return nil
+	}
+
+	cipherSuites := make([]uint16, 0)
+	for _, suite := range tls.CipherSuites() {
+		cipherSuites = append(cipherSuites, suite.ID)
+	}
+
+	return cipherSuites
+}
+
 func (c *Config) parseHistogramBuckets() ([]float64, error) {
 	if c.HistogramMetricBucketsString == "" {
 		return prometheus.DefBuckets, nil

diff --git a/skipper.go b/skipper.go
@@ -614,6 +614,9 @@ type Options struct {
 	// TLSMinVersion to set the minimal TLS version for all TLS configurations
 	TLSMinVersion uint16
 
+	// List of cipher suites to use for TLS 1.2
+	CipherSuites []uint16
+
 	// Flush interval for upgraded Proxy connections
 	BackendFlushInterval time.Duration
 
@@ -1176,6 +1179,10 @@ func (o *Options) tlsConfig(cr *certregistry.CertRegistry) (*tls.Config, error)
 		MinVersion: o.TLSMinVersion,
 	}
 
+	if o.CipherSuites != nil {
+		config.CipherSuites = o.CipherSuites
+	}
+
 	if cr != nil {
 		config.GetCertificate = cr.GetCertFromHello
 	}