diff --git a/internal/outpost/ldap/ldap_tls.go b/internal/outpost/ldap/ldap_tls.go index a16034dbe..4866769a6 100644 --- a/internal/outpost/ldap/ldap_tls.go +++ b/internal/outpost/ldap/ldap_tls.go @@ -6,6 +6,7 @@ import ( "github.com/pires/go-proxyproto" "goauthentik.io/internal/config" + "goauthentik.io/internal/utils" ) func (ls *LDAPServer) getCertificates(info *tls.ClientHelloInfo) (*tls.Certificate, error) { @@ -38,11 +39,8 @@ func (ls *LDAPServer) getCertificates(info *tls.ClientHelloInfo) (*tls.Certifica func (ls *LDAPServer) StartLDAPTLSServer() error { listen := config.Get().Listen.LDAPS - tlsConfig := &tls.Config{ - MinVersion: tls.VersionTLS12, - MaxVersion: tls.VersionTLS12, - GetCertificate: ls.getCertificates, - } + tlsConfig := utils.GetTLSConfig() + tlsConfig.GetCertificate = ls.getCertificates ln, err := net.Listen("tcp", listen) if err != nil { diff --git a/internal/outpost/proxyv2/proxyv2.go b/internal/outpost/proxyv2/proxyv2.go index 930111931..154f79e34 100644 --- a/internal/outpost/proxyv2/proxyv2.go +++ b/internal/outpost/proxyv2/proxyv2.go @@ -18,6 +18,7 @@ import ( "goauthentik.io/internal/outpost/ak" "goauthentik.io/internal/outpost/proxyv2/application" "goauthentik.io/internal/outpost/proxyv2/metrics" + "goauthentik.io/internal/utils" sentryutils "goauthentik.io/internal/utils/sentry" "goauthentik.io/internal/utils/web" ) @@ -129,11 +130,8 @@ func (ps *ProxyServer) ServeHTTP() { // ServeHTTPS constructs a net.Listener and starts handling HTTPS requests func (ps *ProxyServer) ServeHTTPS() { listenAddress := config.Get().Listen.HTTPS - config := &tls.Config{ - MinVersion: tls.VersionTLS12, - MaxVersion: tls.VersionTLS12, - GetCertificate: ps.getCertificates, - } + tlsConfig := utils.GetTLSConfig() + tlsConfig.GetCertificate = ps.getCertificates ln, err := net.Listen("tcp", listenAddress) if err != nil { @@ -143,7 +141,7 @@ func (ps *ProxyServer) ServeHTTPS() { proxyListener := &proxyproto.Listener{Listener: web.TCPKeepAliveListener{TCPListener: ln.(*net.TCPListener)}} defer proxyListener.Close() - tlsListener := tls.NewListener(proxyListener, config) + tlsListener := tls.NewListener(proxyListener, tlsConfig) ps.log.WithField("listen", listenAddress).Info("Starting HTTPS server") ps.serve(tlsListener) ps.log.WithField("listen", listenAddress).Info("Stopping HTTPS server") diff --git a/internal/utils/tls.go b/internal/utils/tls.go new file mode 100644 index 000000000..36281b12f --- /dev/null +++ b/internal/utils/tls.go @@ -0,0 +1,26 @@ +package utils + +import "crypto/tls" + +func GetTLSConfig() *tls.Config { + tlsConfig := &tls.Config{ + MinVersion: tls.VersionTLS12, + MaxVersion: tls.VersionTLS12, + } + + // Insecure SWEET32 attack ciphers, TLS config uses a fallback + insecureCiphersIds := []uint16{ + tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, + tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA, + } + defaultSecureCiphers := []uint16{} + for _, cs := range tls.CipherSuites() { + for _, icsId := range insecureCiphersIds { + if cs.ID != icsId { + defaultSecureCiphers = append(defaultSecureCiphers, cs.ID) + } + } + } + tlsConfig.CipherSuites = defaultSecureCiphers + return tlsConfig +} diff --git a/internal/web/tls.go b/internal/web/tls.go index 0a98522d0..6c7fe9df8 100644 --- a/internal/web/tls.go +++ b/internal/web/tls.go @@ -7,6 +7,7 @@ import ( "github.com/pires/go-proxyproto" "goauthentik.io/internal/config" "goauthentik.io/internal/crypto" + "goauthentik.io/internal/utils" "goauthentik.io/internal/utils/web" ) @@ -35,11 +36,8 @@ func (ws *WebServer) GetCertificate() func(ch *tls.ClientHelloInfo) (*tls.Certif // ServeHTTPS constructs a net.Listener and starts handling HTTPS requests func (ws *WebServer) listenTLS() { - tlsConfig := &tls.Config{ - MinVersion: tls.VersionTLS12, - MaxVersion: tls.VersionTLS12, - GetCertificate: ws.GetCertificate(), - } + tlsConfig := utils.GetTLSConfig() + tlsConfig.GetCertificate = ws.GetCertificate() ln, err := net.Listen("tcp", config.Get().Listen.HTTPS) if err != nil {