fix(webhook): disable tsl 1.0 and 1.1 on webhook service

ref: longhorn/longhorn 8387 Signed-off-by: Jack Lin <jack.lin@suse.com>
longhorn · May 6, 2024 · a2dd56a · a2dd56a
1 parent 1d143a6
commit a2dd56a
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/webhook/server/server.go b/webhook/server/server.go
@@ -2,6 +2,7 @@ package server
 
 import (
 	"context"
+	"crypto/tls"
 	"fmt"
 	"net/http"
 	"reflect"
@@ -33,6 +34,17 @@ var (
 	sideEffectClassNone = admissionregv1.SideEffectClassNone
 )
 
+var (
+	whiteListedCiphers = []uint16{
+		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+		tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+	}
+)
+
 type WebhookServer struct {
 	context     context.Context
 	namespace   string
@@ -178,6 +190,10 @@ func (s *WebhookServer) runAdmissionWebhookListenAndServe(handler http.Handler,
 				tlsName,
 			},
 			FilterCN: dynamiclistener.OnlyAllow(tlsName),
+			TLSConfig: &tls.Config{
+				MinVersion:   tls.VersionTLS12,
+				CipherSuites: whiteListedCiphers,
+			},
 		},
 	})
 }
@@ -237,6 +253,10 @@ func (s *WebhookServer) runConversionWebhookListenAndServe(handler http.Handler,
 				tlsName,
 			},
 			FilterCN: dynamiclistener.OnlyAllow(tlsName),
+			TLSConfig: &tls.Config{
+				MinVersion:   tls.VersionTLS12,
+				CipherSuites: whiteListedCiphers,
+			},
 		},
 	})
 }