tlsconfig: align client and server defaults, remove weak CBC ciphers#128
Conversation
thaJeztah
force-pushed
the
remove_old_cyphers
branch
from
4223a0c to
9022a54
Compare
thaJeztah
changed the title
thaJeztah
force-pushed
the
remove_old_cyphers
branch
from
9022a54 to
376f97b
Compare
|
cc @vvoland (just an extra pair of eyes) |
thaJeztah
force-pushed
the
remove_old_cyphers
branch
from
376f97b to
9848a3a
Compare
There was a problem hiding this comment.
Pull Request Overview
This PR unifies client and server TLS cipher defaults, removes outdated CBC ciphers, and consolidates configuration logic into a single helper.
- Removed the separate client-only cipher list and replaced it with
defaultCipherSuites - Introduced
defaultConfigfor bothClientDefaultandServerDefault, simplifying duplication - Updated tests to assert against the new
defaultCipherSuites
Reviewed Changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| tlsconfig/config.go | Consolidated cipher lists, added defaultConfig, refactored ClientDefault/ServerDefault |
| tlsconfig/config_client_ciphers.go | Deleted obsolete file defining client-only ciphers |
| tlsconfig/config_test.go | Updated tests to expect defaultCipherSuites instead of clientCipherSuites |
Comments suppressed due to low confidence (2)
tlsconfig/config.go:39
- Fix the typo in the comment: change 'should be uses' to 'should be used'.
// DefaultServerAcceptedCiphers should be uses by code which already has a crypto/tls
tlsconfig/config_test.go:398
- Enhance the failure message to include both expected and actual slices, e.g.,
t.Fatalf("Unexpected client cipher suites: got %v, want %v", tlsConfig.CipherSuites, defaultCipherSuites)for better diagnostics.
if !reflect.DeepEqual(tlsConfig.CipherSuites, defaultCipherSuites) {
| // Client returns a TLS configuration meant to be used by a client. | ||
| func Client(options Options) (*tls.Config, error) { | ||
| tlsConfig := ClientDefault() | ||
| tlsConfig := defaultConfig() |
There was a problem hiding this comment.
[nitpick] Use ClientDefault() instead of calling defaultConfig() directly to leverage the named wrapper and ensure consistency if the wrapper logic evolves.
There was a problem hiding this comment.
Not doing this currently; considering to deprecate ClientDefault and ServerDefault, in favour of a single default (or potentially "none"); see moby/moby#49611
| // Server returns a TLS configuration meant to be used by a server. | ||
| func Server(options Options) (*tls.Config, error) { | ||
| tlsConfig := ServerDefault() | ||
| tlsConfig := defaultConfig() |
There was a problem hiding this comment.
[nitpick] Call ServerDefault() here rather than invoking defaultConfig() directly, preserving the intended abstraction and future-proofing any server-specific options.
| tlsConfig := defaultConfig() | |
| tlsConfig := ServerDefault() |
There was a problem hiding this comment.
Not doing this currently; considering to deprecate ClientDefault and ServerDefault, in favour of a single default (or potentially "none"); see moby/moby#49611
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
thaJeztah
force-pushed
the
remove_old_cyphers
branch
from
9848a3a to
2282968
Compare
There was a problem hiding this comment.
Pull Request Overview
This PR unifies the TLS client and server default configurations by consolidating cipher suites into a single set and removing weak CBC cipher suites.
- Updated tests to check for the unified default cipher suites.
- Removed the dedicated client cipher suites file and replaced it with a common default.
- Refactored configuration functions to use a shared defaultConfig function.
Reviewed Changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| tlsconfig/config_test.go | Updated tests to expect the unified default cipher suites. |
| tlsconfig/config_client_ciphers.go | Removed dedicated client cipher suite variable. |
| tlsconfig/config.go | Consolidated cipher suite defaults and refactored configuration functions. |
These ciphers were split between server and client in [docker/go-connections@9b43f5a] (Docker v1.8.0, Jun 11, 2015); > removing the CBC ciphers from the client preferred TLS cipher suites. > This will allow a future version of the server to also remove the CBC > ciphers from the accepted list. > > This changes the server default to client + additional CBC cipher list, > and client default to the non-CBC ciphers. That change allowed phasing out the use of these ciphers in the client, but (for backward-compatibility with older clients) the daemon to still accept old ones. Given that no current client versions should still be using these, we should be able to remove them from the list of ciphers that are supported by the daemon. Now that client and server are the same, we can also use a single implementation for both. [docker/go-connections@9b43f5a]: moby/moby@9b43f5a Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
thaJeztah
force-pushed
the
remove_old_cyphers
branch
from
2282968 to
deccd71
Compare
|
Let me bring this one in, thanks! |
|
Is it intentional that this PR closed moby/moby#36442? Changes seem to be unrelated at first glance... |
|
OH! Definitely not intentional; looks like I may have copy/pasta'd a wrong link. |
tlsconfig: align client and server, remove weak CBC ciphers
These ciphers were split between server and client in docker@9b43f5a
(Docker v1.8.0, Jun 11, 2015);
That change allowed phasing out the use of these ciphers in the client,
but (for backward-compatibility with older clients) the daemon to still
accept old ones.
Given that no current client versions should still be using these, we
should be able to remove them from the list of ciphers that are supported
by the daemon.
Now that client and server are the same, we can also use a single implementation
for both.
- Description for the changelog
- A picture of a cute animal (not mandatory but encouraged)