XiaoMo/frp
1
0
Fork 0
mirror of https://github.com/fatedier/frp.git synced 2025-05-15 03:38:27 +00:00
Code Issues Packages Projects Releases Wiki Activity
frp/pkg/transport/tls.go
zgh419566 f7e3b951b5
Update tls.go 
force frp use tls1.2 only when set TLS mode
avoid to use 3des algorithm

64-bit block cipher 3DES vulnerable to SWEET32 attack

user can scan it by nmap below:
nmap -sV -p 7000 --script ssl-enum-ciphers x.x.x.x

CVE-2016-2183

reference:
https://github.com/fatedier/frp/issues/3973

https://stackoverflow.com/questions/31226131/how-to-set-tls-cipher-for-go-server

https://www.cnblogs.com/stjwy/p/17286010.html
2024-02-06 13:37:03 +08:00

193 lines
5.1 KiB
Go
Raw Blame History

// Copyright 2023 The frp Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package transport
import (
"crypto/rand"
"crypto/rsa"
"crypto/tls"
"crypto/x509"
"encoding/pem"
"math/big"
"os"
)
func newCustomTLSKeyPair(certfile, keyfile string) (*tls.Certificate, error) {
tlsCert, err := tls.LoadX509KeyPair(certfile, keyfile)
if err != nil {
return nil, err
}
return &tlsCert, nil
}
func newRandomTLSKeyPair() *tls.Certificate {
key, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
panic(err)
}
template := x509.Certificate{SerialNumber: big.NewInt(1)}
certDER, err := x509.CreateCertificate(
rand.Reader,
&template,
&template,
&key.PublicKey,
key)
if err != nil {
panic(err)
}
keyPEM := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(key)})
certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER})
tlsCert, err := tls.X509KeyPair(certPEM, keyPEM)
if err != nil {
panic(err)
}
return &tlsCert
}
// Only support one ca file to add
func newCertPool(caPath string) (*x509.CertPool, error) {
pool := x509.NewCertPool()
caCrt, err := os.ReadFile(caPath)
if err != nil {
return nil, err
}
pool.AppendCertsFromPEM(caCrt)
return pool, nil
}
func NewServerTLSConfig(certPath, keyPath, caPath string) (*tls.Config, error) {
base := &tls.Config{}
if certPath == "" || keyPath == "" {
// server will generate tls conf by itself
cert := newRandomTLSKeyPair()
base.Certificates = []tls.Certificate{*cert}
} else {
cert, err := newCustomTLSKeyPair(certPath, keyPath)
if err != nil {
return nil, err
}
base.Certificates = []tls.Certificate{*cert}
}
if caPath != "" {
pool, err := newCertPool(caPath)
if err != nil {
return nil, err
}
base.ClientAuth = tls.RequireAndVerifyClientCert
base.ClientCAs = pool
//20240206 TLS CVE-2016-2183 bye zgh419566
base.MinVersion = tls.VersionTLS12
base.PreferServerCipherSuites = true
base.CipherSuites = []uint16{
//tls.TLS_AES_128_GCM_SHA256,
//tls.TLS_CHACHA20_POLY1305_SHA256,
//tls.TLS_AES_256_GCM_SHA384,
//tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
//tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
//tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
//tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
//tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
//tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
//tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
//tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
//tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
//tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
//tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
//tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_RSA_WITH_AES_128_CBC_SHA,
tls.TLS_RSA_WITH_AES_256_CBC_SHA,
}
}
return base, nil
}
func NewClientTLSConfig(certPath, keyPath, caPath, serverName string) (*tls.Config, error) {
base := &tls.Config{}
if certPath != "" && keyPath != "" {
cert, err := newCustomTLSKeyPair(certPath, keyPath)
if err != nil {
return nil, err
}
base.Certificates = []tls.Certificate{*cert}
}
base.ServerName = serverName
if caPath != "" {
pool, err := newCertPool(caPath)
if err != nil {
return nil, err
}
base.RootCAs = pool
base.InsecureSkipVerify = false
//20240206 TLS CVE-2016-2183 by zgh419566
base.PreferServerCipherSuites = false
base.MinVersion = tls.VersionTLS12
base.CipherSuites = []uint16{
//tls.TLS_AES_128_GCM_SHA256,
//tls.TLS_CHACHA20_POLY1305_SHA256,
//tls.TLS_AES_256_GCM_SHA384,
//tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
//tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
//tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
//tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
//tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
//tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
//tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
//tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
//tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
//tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
//tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
//tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_RSA_WITH_AES_128_CBC_SHA,
tls.TLS_RSA_WITH_AES_256_CBC_SHA,
}
} else {
base.InsecureSkipVerify = true
}
return base, nil
}
func NewRandomPrivateKey() ([]byte, error) {
key, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
return nil, err
}
keyPEM := pem.EncodeToMemory(&pem.Block{
Type: "RSA PRIVATE KEY",
Bytes: x509.MarshalPKCS1PrivateKey(key),
})
return keyPEM, nil
}
Reference in New Issue View Git Blame Copy Permalink