Add capability to limit TLS versions and cipher suites (#6246)

2019-08-20 01:01:01 +02:00
parent fbfaf767f1
commit 149d221191
10 changed files with 286 additions and 1 deletions
--- a/plugins/outputs/prometheus_client/README.md
+++ b/plugins/outputs/prometheus_client/README.md
@@ -40,6 +40,14 @@ This plugin starts a [Prometheus](https://prometheus.io/) Client, it exposes all
  ## enable mutually authenticated TLS connections
  # tls_allowed_cacerts = ["/etc/telegraf/clientca.pem"]

+  ## contains the minimum SSL/TLS version that is acceptable.
+  ## If not set, then TLS 1.0 is taken as the minimum.
+  # tls_min_version = "TLS11"
+
+  ## contains the maximum SSL/TLS version that is acceptable.
+  ## If not set, then the maximum supported version is used.
+  # tls_max_version = "TLS12"
+
  ## Export metric collection time.
  # export_timestamp = false
 ```
--- a/plugins/outputs/prometheus_client/prometheus_client.go
+++ b/plugins/outputs/prometheus_client/prometheus_client.go
@@ -117,6 +117,8 @@ var sampleConfig = `
  ## enable mutually authenticated TLS connections
  # tls_allowed_cacerts = ["/etc/telegraf/clientca.pem"]

+  # tls_cipher_suites = ["TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_RSA_WITH_AES_128_GCM_SHA256", "TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_256_CBC_SHA"]
+
  ## Export metric collection time.
  # export_timestamp = false
 `
--- a/plugins/outputs/prometheus_client/prometheus_client_tls_test.go
+++ b/plugins/outputs/prometheus_client/prometheus_client_tls_test.go
@@ -6,6 +6,7 @@ import (
 	"net/http"
 	"testing"

+	inttls "github.com/influxdata/telegraf/internal/tls"
 	"github.com/influxdata/telegraf/plugins/outputs/prometheus_client"
 	"github.com/influxdata/telegraf/testutil"
 	"github.com/influxdata/toml"
@@ -19,7 +20,9 @@ var configWithTLS = fmt.Sprintf(`
 tls_allowed_cacerts = ["%s"]
 tls_cert = "%s"
 tls_key = "%s"
-`, pki.TLSServerConfig().TLSAllowedCACerts[0], pki.TLSServerConfig().TLSCert, pki.TLSServerConfig().TLSKey)
+ tls_cipher_suites = ["%s"]
+ tls_min_version = "%s"
+`, pki.TLSServerConfig().TLSAllowedCACerts[0], pki.TLSServerConfig().TLSCert, pki.TLSServerConfig().TLSKey, pki.CipherSuite(), pki.TLSMaxVersion())

 var configWithoutTLS = `
  listen = "127.0.0.1:0"
@@ -50,12 +53,22 @@ func TestWorksWithTLS(t *testing.T) {
 	require.NoError(t, err)
 	defer tc.Output.Close()

+	serverCiphers, err := inttls.ParseCiphers(tc.Output.ServerConfig.TLSCipherSuites)
+	require.NoError(t, err)
+	require.Equal(t, 1, len(serverCiphers))
+
+	tlsVersion, err := inttls.ParseTLSVersion(tc.Output.ServerConfig.TLSMinVersion)
+	require.NoError(t, err)
+
 	response, err := tc.Client.Get(tc.Output.URL())
 	require.NoError(t, err)

 	require.NoError(t, err)
 	require.Equal(t, response.StatusCode, http.StatusOK)

+	require.Equal(t, response.TLS.CipherSuite, serverCiphers[0])
+	require.Equal(t, response.TLS.Version, tlsVersion)
+
 	tr := &http.Transport{
 		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
 	}