Merge pull request #580 from ChinX/syncer
[SCB-1441] [Syncer] Support for tls certificates when loading instance data from servicecenter
diff --git a/docs/security-tls.md b/docs/security-tls.md
index f0a45b0..1ce23ef 100644
--- a/docs/security-tls.md
+++ b/docs/security-tls.md
@@ -14,5 +14,5 @@
1. ssl_mode: Enabled SSL/TLS mode. [0, 1]
1. ssl_verify_client: Whether the SC verify client(including etcd server). [0, 1]
-1. ssl_protocols: Minimal SSL/TLS protocol version. ["TLSv1.0", "TLSv1.1", "TLSv1.2"]
+1. ssl_min_version: Minimal SSL/TLS protocol version. ["TLSv1.0", "TLSv1.1", "TLSv1.2", "TLSv1.3"], based on Go version
1. ssl_ciphers: A list of cipher suite. By default, uses TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
diff --git a/etc/conf/app.conf b/etc/conf/app.conf
index 0e1e9ba..ff85148 100644
--- a/etc/conf/app.conf
+++ b/etc/conf/app.conf
@@ -136,7 +136,7 @@
ssl_mode = 0
ssl_verify_client = 1
# minimal tls protocol, [TLSv1.0, TLSv1.1, TLSv1.2]
-ssl_protocols = TLSv1.2
+ssl_min_version = TLSv1.2
ssl_ciphers = TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
###################################################################
diff --git a/pkg/rest/client.go b/pkg/rest/client.go
index c0ea997..96fc92d 100644
--- a/pkg/rest/client.go
+++ b/pkg/rest/client.go
@@ -45,8 +45,6 @@
ConnsPerHost: DEFAULT_CONN_POOL_PER_HOST_SIZE,
}
-var defaultClientTLSOptions = tlsutil.DefaultClientTLSOptions()
-
type URLClientOption struct {
SSLEnabled bool
Compressed bool
@@ -213,7 +211,7 @@
}
if option.SSLEnabled {
- opts := append(defaultClientTLSOptions,
+ opts := append(tlsutil.DefaultClientTLSOptions(),
tlsutil.WithVerifyPeer(option.VerifyPeer),
tlsutil.WithCA(option.CAFile),
tlsutil.WithCert(option.CertFile),
diff --git a/pkg/tlsutil/common.go b/pkg/tlsutil/common.go
index ac4c311..061cb44 100644
--- a/pkg/tlsutil/common.go
+++ b/pkg/tlsutil/common.go
@@ -1,19 +1,18 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
+// Licensed to the Apache Software Foundation (ASF) under one or more
+// contributor license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright ownership.
+// The ASF licenses this file to You under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance with
+// the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
package tlsutil
import (
@@ -35,10 +34,17 @@
"TLSv1.2": tls.VersionTLS12,
}
-var TLS_CIPHER_SUITE []uint16
+var cipherSuite []uint16
-func init() {
- for _, c := range TLS_CIPHER_SUITE_MAP {
- TLS_CIPHER_SUITE = append(TLS_CIPHER_SUITE, c)
+// MaxSupportedTLSVersion is the max supported TLS version
+var MaxSupportedTLSVersion uint16 = tls.VersionTLS12
+
+func TLSCipherSuits() []uint16 {
+ if cipherSuite != nil {
+ return cipherSuite
}
+ for _, c := range TLS_CIPHER_SUITE_MAP {
+ cipherSuite = append(cipherSuite, c)
+ }
+ return cipherSuite
}
diff --git a/pkg/tlsutil/common_test.go b/pkg/tlsutil/common_test.go
new file mode 100644
index 0000000..7378922
--- /dev/null
+++ b/pkg/tlsutil/common_test.go
@@ -0,0 +1,10 @@
+package tlsutil
+
+import "testing"
+
+func TestTLSCipherSuits(t *testing.T) {
+ suits := TLSCipherSuits()
+ if len(suits) <= 0 {
+ t.Fatalf("Get TLSCipherSuits failed")
+ }
+}
diff --git a/pkg/tlsutil/config.go b/pkg/tlsutil/config.go
index 60b6246..86f57e9 100644
--- a/pkg/tlsutil/config.go
+++ b/pkg/tlsutil/config.go
@@ -1,19 +1,18 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
+// Licensed to the Apache Software Foundation (ASF) under one or more
+// contributor license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright ownership.
+// The ASF licenses this file to You under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance with
+// the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
package tlsutil
import (
@@ -56,14 +55,14 @@
return []SSLConfigOption{
WithVerifyPeer(true),
WithVerifyHostName(true),
- WithVersion(tls.VersionTLS12, tls.VersionTLS12),
+ WithVersion(tls.VersionTLS12, MaxSupportedTLSVersion),
}
}
func DefaultServerTLSOptions() []SSLConfigOption {
return []SSLConfigOption{
WithVerifyPeer(true),
- WithVersion(tls.VersionTLS12, tls.VersionTLS12),
- WithCipherSuits(TLS_CIPHER_SUITE),
+ WithVersion(tls.VersionTLS12, MaxSupportedTLSVersion),
+ WithCipherSuits(TLSCipherSuits()),
}
}
diff --git a/pkg/tlsutil/tls13.go b/pkg/tlsutil/tls13.go
new file mode 100644
index 0000000..75cd211
--- /dev/null
+++ b/pkg/tlsutil/tls13.go
@@ -0,0 +1,26 @@
+// Licensed to the Apache Software Foundation (ASF) under one or more
+// contributor license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright ownership.
+// The ASF licenses this file to You under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance with
+// the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// +build go1.12
+
+package tlsutil
+
+import "crypto/tls"
+
+func init() {
+ // Add TLS 1.3 version
+ TLS_VERSION_MAP["TLSv1.3"] = tls.VersionTLS13
+ MaxSupportedTLSVersion = tls.VersionTLS13
+}
diff --git a/pkg/tlsutil/tlsutil.go b/pkg/tlsutil/tlsutil.go
index c131b8e..87f6992 100644
--- a/pkg/tlsutil/tlsutil.go
+++ b/pkg/tlsutil/tlsutil.go
@@ -1,19 +1,18 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
+// Licensed to the Apache Software Foundation (ASF) under one or more
+// contributor license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright ownership.
+// The ASF licenses this file to You under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance with
+// the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
package tlsutil
import (
diff --git a/pkg/tlsutil/tlsutil_test.go b/pkg/tlsutil/tlsutil_test.go
index a1c88a6..6f9e367 100644
--- a/pkg/tlsutil/tlsutil_test.go
+++ b/pkg/tlsutil/tlsutil_test.go
@@ -1,19 +1,18 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
+// Licensed to the Apache Software Foundation (ASF) under one or more
+// contributor license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright ownership.
+// The ASF licenses this file to You under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance with
+// the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
package tlsutil
import (
diff --git a/server/plugin/pkg/tls/buildin/tls.go b/server/plugin/pkg/tls/buildin/tls.go
index cc45b5d..96f75da 100644
--- a/server/plugin/pkg/tls/buildin/tls.go
+++ b/server/plugin/pkg/tls/buildin/tls.go
@@ -78,7 +78,7 @@
tlsutil.WithVersion(
tlsutil.ParseSSLProtocol(
beego.AppConfig.DefaultString("ssl_client_min_version", core.ServerInfo.Config.SslMinVersion)),
- tls.VersionTLS12),
+ tlsutil.MaxSupportedTLSVersion),
tlsutil.WithCipherSuits(tlsutil.ParseDefaultSSLCipherSuites(beego.AppConfig.String("ssl_client_ciphers"))),
tlsutil.WithKeyPass(passphase),
tlsutil.WithCA(GetSSLPath("trust.cer")),
@@ -108,7 +108,7 @@
opts := append(tlsutil.DefaultServerTLSOptions(),
tlsutil.WithVerifyPeer(core.ServerInfo.Config.SslVerifyPeer),
- tlsutil.WithVersion(tlsutil.ParseSSLProtocol(core.ServerInfo.Config.SslMinVersion), tls.VersionTLS12),
+ tlsutil.WithVersion(tlsutil.ParseSSLProtocol(core.ServerInfo.Config.SslMinVersion), tlsutil.MaxSupportedTLSVersion),
tlsutil.WithCipherSuits(tlsutil.ParseDefaultSSLCipherSuites(core.ServerInfo.Config.SslCiphers)),
tlsutil.WithKeyPass(passphase),
tlsutil.WithCA(GetSSLPath("trust.cer")),
diff --git a/syncer/README-ZH.md b/syncer/README-ZH.md
index ff4c313..65bfc0f 100644
--- a/syncer/README-ZH.md
+++ b/syncer/README-ZH.md
@@ -88,17 +88,17 @@
- 在10.0.0.10的机器上启动syncer集群
```bash
-$ ./syncer daemon --sc-addr http://10.0.0.10:30100 --bind-addr 10.0.0.10:30190 --rpc-addr 10.0.0.10:30191 --mode cluster --node syncer011 --cluster-port 30201 --join-addr 10.0.0.10:30191
-$ ./syncer daemon --sc-addr http://10.0.0.10:30100 --bind-addr 10.0.0.10:30290 --rpc-addr 10.0.0.10:30291 --mode cluster --node syncer012 --cluster-port 30202 --join-addr 10.0.0.10:30191
-$ ./syncer daemon --sc-addr http://10.0.0.10:30100 --bind-addr 10.0.0.10:30390 --rpc-addr 10.0.0.10:30391 --mode cluster --node syncer013 --cluster-port 30203 --join-addr 10.0.0.10:30191
+$ ./syncer daemon --sc-addr http://10.0.0.10:30100 --bind-addr 10.0.0.10:30190 --rpc-addr 10.0.0.10:30191 --mode cluster --node syncer011 --cluster-port 30201 --join-addr 10.0.0.10:30190
+$ ./syncer daemon --sc-addr http://10.0.0.10:30100 --bind-addr 10.0.0.10:30290 --rpc-addr 10.0.0.10:30291 --mode cluster --node syncer012 --cluster-port 30202 --join-addr 10.0.0.10:30190
+$ ./syncer daemon --sc-addr http://10.0.0.10:30100 --bind-addr 10.0.0.10:30390 --rpc-addr 10.0.0.10:30391 --mode cluster --node syncer013 --cluster-port 30203 --join-addr 10.0.0.10:30190
```
- 在10.0.0.11机器上启动syncer集群
```bash
-$ ./syncer daemon --sc-addr http://10.0.0.11:30100 --bind-addr 10.0.0.11:30190 --rpc-addr 10.0.0.11:30191 --mode cluster --node syncer021 --cluster-port 30201 --join-addr 10.0.0.11:30191
-$ ./syncer daemon --sc-addr http://10.0.0.11:30100 --bind-addr 10.0.0.11:30290 --rpc-addr 10.0.0.11:30291 --mode cluster --node syncer022 --cluster-port 30202 --join-addr 10.0.0.11:30191
-$ ./syncer daemon --sc-addr http://10.0.0.11:30100 --bind-addr 10.0.0.11:30390 --rpc-addr 10.0.0.11:30391 --mode cluster --node syncer023 --cluster-port 30203 --join-addr 10.0.0.11:30191
+$ ./syncer daemon --sc-addr http://10.0.0.11:30100 --bind-addr 10.0.0.11:30190 --rpc-addr 10.0.0.11:30191 --mode cluster --node syncer021 --cluster-port 30201 --join-addr 10.0.0.10:30190
+$ ./syncer daemon --sc-addr http://10.0.0.11:30100 --bind-addr 10.0.0.11:30290 --rpc-addr 10.0.0.11:30291 --mode cluster --node syncer022 --cluster-port 30202 --join-addr 10.0.0.10:30190
+$ ./syncer daemon --sc-addr http://10.0.0.11:30100 --bind-addr 10.0.0.11:30390 --rpc-addr 10.0.0.11:30391 --mode cluster --node syncer023 --cluster-port 30203 --join-addr 10.0.0.10:30190
```
**结果验证**
diff --git a/syncer/README.md b/syncer/README.md
index ca2f00f..eb46e06 100644
--- a/syncer/README.md
+++ b/syncer/README.md
@@ -113,17 +113,17 @@
- Start Syncer cluster on host 10.0.0.10
```bash
-$ ./syncer daemon --sc-addr http://10.0.0.10:30100 --bind-addr 10.0.0.10:30190 --rpc-addr 10.0.0.10:30191 --mode cluster --node syncer011 --cluster-port 30201 --join-addr 10.0.0.10:30191
-$ ./syncer daemon --sc-addr http://10.0.0.10:30100 --bind-addr 10.0.0.10:30290 --rpc-addr 10.0.0.10:30291 --mode cluster --node syncer012 --cluster-port 30202 --join-addr 10.0.0.10:30191
-$ ./syncer daemon --sc-addr http://10.0.0.10:30100 --bind-addr 10.0.0.10:30390 --rpc-addr 10.0.0.10:30391 --mode cluster --node syncer013 --cluster-port 30203 --join-addr 10.0.0.10:30191
+$ ./syncer daemon --sc-addr http://10.0.0.10:30100 --bind-addr 10.0.0.10:30190 --rpc-addr 10.0.0.10:30191 --mode cluster --node syncer011 --cluster-port 30201 --join-addr 10.0.0.10:30190
+$ ./syncer daemon --sc-addr http://10.0.0.10:30100 --bind-addr 10.0.0.10:30290 --rpc-addr 10.0.0.10:30291 --mode cluster --node syncer012 --cluster-port 30202 --join-addr 10.0.0.10:30190
+$ ./syncer daemon --sc-addr http://10.0.0.10:30100 --bind-addr 10.0.0.10:30390 --rpc-addr 10.0.0.10:30391 --mode cluster --node syncer013 --cluster-port 30203 --join-addr 10.0.0.10:30190
```
- Start Syncer cluster on host 10.0.0.11
```bash
-$ ./syncer daemon --sc-addr http://10.0.0.11:30100 --bind-addr 10.0.0.11:30190 --rpc-addr 10.0.0.11:30191 --mode cluster --node syncer021 --cluster-port 30201 --join-addr 10.0.0.11:30191
-$ ./syncer daemon --sc-addr http://10.0.0.11:30100 --bind-addr 10.0.0.11:30290 --rpc-addr 10.0.0.11:30291 --mode cluster --node syncer022 --cluster-port 30202 --join-addr 10.0.0.11:30191
-$ ./syncer daemon --sc-addr http://10.0.0.11:30100 --bind-addr 10.0.0.11:30390 --rpc-addr 10.0.0.11:30391 --mode cluster --node syncer023 --cluster-port 30203 --join-addr 10.0.0.11:30191
+$ ./syncer daemon --sc-addr http://10.0.0.11:30100 --bind-addr 10.0.0.11:30190 --rpc-addr 10.0.0.11:30191 --mode cluster --node syncer021 --cluster-port 30201 --join-addr 10.0.0.10:30190
+$ ./syncer daemon --sc-addr http://10.0.0.11:30100 --bind-addr 10.0.0.11:30290 --rpc-addr 10.0.0.11:30291 --mode cluster --node syncer022 --cluster-port 30202 --join-addr 10.0.0.10:30190
+$ ./syncer daemon --sc-addr http://10.0.0.11:30100 --bind-addr 10.0.0.11:30390 --rpc-addr 10.0.0.11:30391 --mode cluster --node syncer023 --cluster-port 30203 --join-addr 10.0.0.10:30190
```
**Verification**