Handpick cluster cipher suites when they're not user-set (#7487)

* Handpick cluster cipher suites when they're not user-set There is an undocumented way for users to choose cluster cipher suites but for the most part this is to paper over the fact that there are undesirable suites in TLS 1.2. If not explicitly set, have the set of cipher suites for the cluster port come from a hand-picked list; either the allowed TLS 1.3 set (for forwards compatibility) or the three identical ones for TLS 1.2. The 1.2 suites have been supported in Go until at least as far back as Go 1.9 from two years ago. As a result in cases where no specific suites have been chosen this _ought_ to have no compatibility issues. Also includes a useful test script.
hashicorp · Oct 28, 2019 · 8046fa1 · 8046fa1
1 parent 00ef4e3
commit 8046fa1
Show file tree

Hide file tree

Showing 3 changed files with 54 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,14 @@
 ## 1.3 (Unreleased)
 
+CHANGES:
+ * Cluster cipher suites: On its cluster port, Vault will no longer advertise
+   the full TLS 1.2 cipher suite list by default. Although this port is only
+   used for Vault-to-Vault communication and would always pick a strong cipher,
+   it could cause false flags on port scanners and other security utilities
+   that assumed insecure ciphers were being used. The previous behavior can be
+   achieved by setting the value of the (undocumented) `cluster_cipher_suites`
+   config flag to `tls12`.
+
 FEATURES:
 
  * **Vault Debug**: A new top-level subcommand, `debug`, is added that allows 

diff --git a/scripts/testciphers.sh b/scripts/testciphers.sh
@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+
+# Adapted from https://superuser.com/a/224263
+
+# OpenSSL requires the port number.
+SERVER=$1
+ciphers=$(openssl ciphers 'ALL:eNULL' | sed -e 's/:/ /g')
+
+echo Obtaining cipher list from $(openssl version).
+
+for cipher in ${ciphers[@]}
+do
+echo -n Testing $cipher...
+result=$(echo -n | openssl s_client -cipher "$cipher" -alpn req_fw_sb-act_v1 -connect $SERVER 2>&1)
+if [[ "$result" =~ ":error:" ]] ; then
+  error=$(echo -n $result | cut -d':' -f6)
+  echo NO \($error\)
+else
+  if [[ "$result" =~ "Cipher is ${cipher}" || "$result" =~ "Cipher    :" ]] ; then
+    echo YES
+  else
+    echo UNKNOWN RESPONSE
+    echo $result
+  fi
+fi
+done
diff --git a/vault/core.go b/vault/core.go
@@ -5,6 +5,7 @@ import (
 	"crypto/ecdsa"
 	"crypto/rand"
 	"crypto/subtle"
+	"crypto/tls"
 	"crypto/x509"
 	"errors"
 	"fmt"
@@ -709,7 +710,24 @@ func NewCore(conf *CoreConfig) (*Core, error) {
 	c.clusterAddr.Store(conf.ClusterAddr)
 	c.activeContextCancelFunc.Store((context.CancelFunc)(nil))
 
-	if conf.ClusterCipherSuites != "" {
+	switch conf.ClusterCipherSuites {
+	case "tls12":
+		// Do nothing, let Go use the default
+
+	case "":
+		// Add in forward compatible TLS 1.3 suites, followed by handpicked 1.2 suites
+		c.clusterCipherSuites = []uint16{
+			// 1.3
+			tls.TLS_AES_128_GCM_SHA256,
+			tls.TLS_AES_256_GCM_SHA384,
+			tls.TLS_CHACHA20_POLY1305_SHA256,
+			// 1.2
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+		}
+
+	default:
 		suites, err := tlsutil.ParseCiphers(conf.ClusterCipherSuites)
 		if err != nil {
 			return nil, errwrap.Wrapf("error parsing cluster cipher suites: {{err}}", err)