cmd/skipper: allow exclusion of insecure cipher suites (#3123)

Golang maintains a list of cipher suites considered
insecure, which are still allowed if requested. This flag
will allow those cipher suites to be completely excluded.

Signed-off-by: Ricardo Herrera <[email protected]>

Author: rickhlx

config/config.go

@@ -219,6 +219,9 @@ type Config struct {
 	// TLS version
 	TLSMinVersion string `yaml:"tls-min-version"`
 
+	// Exclude insecure cipher suites
+	ExcludeInsecureCipherSuites bool `yaml:"exclude-insecure-cipher-suites"`
+
 	// TLS Config
 	KubernetesEnableTLS bool `yaml:"kubernetes-enable-tls"`
 
@@ -517,6 +520,9 @@ func NewConfig() *Config {
 	// TLS version
 	flag.StringVar(&cfg.TLSMinVersion, "tls-min-version", defaultMinTLSVersion, "minimal TLS Version to be used in server, proxy and client connections")
 
+	// Exclude insecure cipher suites
+	flag.BoolVar(&cfg.ExcludeInsecureCipherSuites, "exclude-insecure-cipher-suites", false, "excludes insecure cipher suites")
+
 	// API Monitoring:
 	flag.BoolVar(&cfg.ApiUsageMonitoringEnable, "enable-api-usage-monitoring", false, "enables the apiUsageMonitoring filter")
 	flag.StringVar(&cfg.ApiUsageMonitoringRealmKeys, "api-usage-monitoring-realm-keys", "", "name of the property in the JWT payload that contains the authority realm")
@@ -715,6 +721,7 @@ func (c *Config) ToOptions() skipper.Options {
 		DebugListener:             c.DebugListener,
 		CertPathTLS:               c.CertPathTLS,
 		KeyPathTLS:                c.KeyPathTLS,
+		CipherSuites:              c.filterCipherSuites(),
 		MaxLoopbacks:              c.MaxLoopbacks,
 		DefaultHTTPStatus:         c.DefaultHTTPStatus,
 		ReverseSourcePredicate:    c.ReverseSourcePredicate,
@@ -1031,6 +1038,19 @@ func (c *Config) getMinTLSVersion() uint16 {
 	return tlsVersionTable[defaultMinTLSVersion]
 }
 
+func (c *Config) filterCipherSuites() []uint16 {
+	if !c.ExcludeInsecureCipherSuites {
+		return nil
+	}
+
+	cipherSuites := make([]uint16, 0)
+	for _, suite := range tls.CipherSuites() {
+		cipherSuites = append(cipherSuites, suite.ID)
+	}
+
+	return cipherSuites
+}
+
 func (c *Config) parseHistogramBuckets() ([]float64, error) {
 	if c.HistogramMetricBucketsString == "" {
 		return prometheus.DefBuckets, nil

config/config_test.go

@@ -5,6 +5,7 @@ import (
 	"errors"
 	"os"
 	"reflect"
+	"slices"
 	"strings"
 	"testing"
 	"time"
@@ -174,6 +175,7 @@ func TestToOptions(t *testing.T) {
 		c.ProxyPreserveHost = true // 4
 		c.RemoveHopHeaders = true  // 16
 		c.RfcPatchPath = true      // 32
+		c.ExcludeInsecureCipherSuites = true
 
 		// config
 		c.EtcdUrls = "127.0.0.1:5555"
@@ -231,6 +233,15 @@ func TestToOptions(t *testing.T) {
 	if len(opt.EditRoute) != 1 {
 		t.Errorf("Failed to get expected edit route: %s", c.EditRoute)
 	}
+	if opt.CipherSuites == nil {
+		t.Errorf("Failed to get the filtered cipher suites")
+	} else {
+		for _, i := range tls.InsecureCipherSuites() {
+			if slices.Contains(opt.CipherSuites, i.ID) {
+				t.Errorf("Insecure cipher found in list: %s", i.Name)
+			}
+		}
+	}
 }
 
 func Test_Validate(t *testing.T) {
@@ -405,6 +416,23 @@ func TestMinTLSVersion(t *testing.T) {
 	})
 }
 
+func TestExcludeInsecureCipherSuites(t *testing.T) {
+
+	t.Run("test default", func(t *testing.T) {
+		cfg := new(Config)
+		if cfg.filterCipherSuites() != nil {
+			t.Error("No cipher suites should be filtered by default")
+		}
+	})
+	t.Run("test excluded insecure cipher suites", func(t *testing.T) {
+		cfg := new(Config)
+		cfg.ExcludeInsecureCipherSuites = true
+		if cfg.filterCipherSuites() == nil {
+			t.Error(`Failed to get list of filtered cipher suites`)
+		}
+	})
+}
+
 type testFormatter struct {
 	messages map[string]log.Level
 }

skipper.go

@@ -614,6 +614,9 @@ type Options struct {
 	// TLSMinVersion to set the minimal TLS version for all TLS configurations
 	TLSMinVersion uint16
 
+	// CipherSuites sets the list of cipher suites to use for TLS 1.2
+	CipherSuites []uint16
+
 	// Flush interval for upgraded Proxy connections
 	BackendFlushInterval time.Duration
 
@@ -1176,6 +1179,10 @@ func (o *Options) tlsConfig(cr *certregistry.CertRegistry) (*tls.Config, error)
 		MinVersion: o.TLSMinVersion,
 	}
 
+	if o.CipherSuites != nil {
+		config.CipherSuites = o.CipherSuites
+	}
+
 	if cr != nil {
 		config.GetCertificate = cr.GetCertFromHello
 	}

skipper_test.go

@@ -186,6 +186,13 @@ func TestOptionsTLSConfig(t *testing.T) {
 	require.NoError(t, err)
 	require.Equal(t, uint16(tls.VersionTLS13), c.MinVersion)
 	require.Equal(t, []tls.Certificate{cert, cert2}, c.Certificates)
+
+	// TLS Cipher Suites
+	o = &Options{CipherSuites: []uint16{1}}
+	c, err = o.tlsConfig(cr)
+	require.NoError(t, err)
+	assert.Equal(t, len(c.CipherSuites), 1)
+
 }
 
 func TestOptionsTLSConfigInvalidPaths(t *testing.T) {