Skip to content

Commit 87016c7

Browse files
arjan-balarjan-bal
committed
Apply secure defaults to TLS configs provided through GetConfigForClient
1 parent 4544b8a commit 87016c7

File tree

2 files changed

+245
-92
lines changed

2 files changed

+245
-92
lines changed

credentials/tls.go

Lines changed: 23 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -200,25 +200,41 @@ var tls12ForbiddenCipherSuites = map[uint16]struct{}{
200200

201201
// NewTLS uses c to construct a TransportCredentials based on TLS.
202202
func NewTLS(c *tls.Config) TransportCredentials {
203-
tc := &tlsCreds{credinternal.CloneTLSConfig(c)}
204-
tc.config.NextProtos = credinternal.AppendH2ToNextProtos(tc.config.NextProtos)
203+
cfg := applyDefaults(c)
204+
if cfg.GetConfigForClient != nil {
205+
oldFn := cfg.GetConfigForClient
206+
cfg.GetConfigForClient = func(hello *tls.ClientHelloInfo) (*tls.Config, error) {
207+
cfgForClient, err := oldFn(hello)
208+
if err != nil || cfgForClient == nil {
209+
return cfgForClient, err
210+
}
211+
return applyDefaults(cfgForClient), nil
212+
}
213+
}
214+
tc := &tlsCreds{config: cfg}
215+
return tc
216+
}
217+
218+
func applyDefaults(c *tls.Config) *tls.Config {
219+
config := credinternal.CloneTLSConfig(c)
220+
config.NextProtos = credinternal.AppendH2ToNextProtos(config.NextProtos)
205221
// If the user did not configure a MinVersion and did not configure a
206222
// MaxVersion < 1.2, use MinVersion=1.2, which is required by
207223
// https://datatracker.ietf.org/doc/html/rfc7540#section-9.2
208-
if tc.config.MinVersion == 0 && (tc.config.MaxVersion == 0 || tc.config.MaxVersion >= tls.VersionTLS12) {
209-
tc.config.MinVersion = tls.VersionTLS12
224+
if config.MinVersion == 0 && (config.MaxVersion == 0 || config.MaxVersion >= tls.VersionTLS12) {
225+
config.MinVersion = tls.VersionTLS12
210226
}
211227
// If the user did not configure CipherSuites, use all "secure" cipher
212228
// suites reported by the TLS package, but remove some explicitly forbidden
213229
// by https://datatracker.ietf.org/doc/html/rfc7540#appendix-A
214-
if tc.config.CipherSuites == nil {
230+
if config.CipherSuites == nil {
215231
for _, cs := range tls.CipherSuites() {
216232
if _, ok := tls12ForbiddenCipherSuites[cs.ID]; !ok {
217-
tc.config.CipherSuites = append(tc.config.CipherSuites, cs.ID)
233+
config.CipherSuites = append(config.CipherSuites, cs.ID)
218234
}
219235
}
220236
}
221-
return tc
237+
return config
222238
}
223239

224240
// NewClientTLSFromCert constructs TLS credentials from the provided root

0 commit comments

Comments
 (0)