[FAB-7525] Strong ciphers for TLS

While Fabric only supports TLS 1.2,
it currently uses the default set of
ciphers provided by Go.  This change
sets the default ciphers to a very
strong set (AESGCM).

While the code is structured to
allow these to be configured in
the future, this change does not
allow the ciphers to be configured.

Change-Id: I6bb68454adacadac63bef3ce89c25e4c687e482b
Signed-off-by: Gari Singh <gari.r.singh@gmail.com>

Author: mastersingh24

core/comm/config.go

@@ -7,6 +7,7 @@ SPDX-License-Identifier: Apache-2.0
 package comm
 
 import (
+	"crypto/tls"
 	"time"
 
 	"github.com/spf13/viper"
@@ -30,6 +31,15 @@ var (
 		ServerTimeout:     time.Duration(20) * time.Second, // 20 sec - gRPC default
 		ServerMinInterval: time.Duration(1) * time.Minute,  // match ClientInterval
 	}
+	// strong TLS cipher suites
+	tlsCipherSuites = []uint16{
+		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
+	}
 )
 
 // ServerConfig defines the parameters for configuring a GRPCServer instance
@@ -43,20 +53,22 @@ type ServerConfig struct {
 // SecureOptions defines the security parameters (e.g. TLS) for a
 // GRPCServer instance
 type SecureOptions struct {
-	//PEM-encoded X509 public key to be used by the server for TLS communication
+	// PEM-encoded X509 public key to be used by the server for TLS communication
 	ServerCertificate []byte
-	//PEM-encoded private key to be used by the server for TLS communication
+	// PEM-encoded private key to be used by the server for TLS communication
 	ServerKey []byte
-	//Set of PEM-encoded X509 certificate authorities to optionally send
-	//as part of the server handshake
+	// Set of PEM-encoded X509 certificate authorities to optionally send
+	// as part of the server handshake
 	ServerRootCAs [][]byte
-	//Set of PEM-encoded X509 certificate authorities to use when verifying
-	//client certificates
+	// Set of PEM-encoded X509 certificate authorities to use when verifying
+	// client certificates
 	ClientRootCAs [][]byte
-	//Whether or not to use TLS for communication
+	// Whether or not to use TLS for communication
 	UseTLS bool
-	//Whether or not TLS client must present certificates for authentication
+	// Whether or not TLS client must present certificates for authentication
 	RequireClientCert bool
+	// CipherSuites is a list of supported cipher suites for TLS
+	CipherSuites []uint16
 }
 
 // KeepAliveOptions is used to set the gRPC keepalive settings for both

core/comm/server.go

@@ -119,7 +119,9 @@ func NewGRPCServerFromListener(listener net.Listener, serverConfig ServerConfig)
 			grpcServer.serverCertificate.Store(cert)
 
 			//set up our TLS config
-
+			if len(secureConfig.CipherSuites) == 0 {
+				secureConfig.CipherSuites = tlsCipherSuites
+			}
 			getCert := func(_ *tls.ClientHelloInfo) (*tls.Certificate, error) {
 				cert := grpcServer.serverCertificate.Load().(tls.Certificate)
 				return &cert, nil
@@ -128,6 +130,7 @@ func NewGRPCServerFromListener(listener net.Listener, serverConfig ServerConfig)
 			grpcServer.tlsConfig = &tls.Config{
 				GetCertificate:         getCert,
 				SessionTicketsDisabled: true,
+				CipherSuites:           secureConfig.CipherSuites,
 			}
 			grpcServer.tlsConfig.ClientAuth = tls.RequestClientCert
 			//check if client authentication is required

core/comm/server_test.go

@@ -1490,3 +1490,103 @@ func TestUpdateTLSCert(t *testing.T) {
 	assert.Error(t, err)
 	assert.Contains(t, err.Error(), "certificate is valid for notlocalhost.org1.example.com, notlocalhost, not localhost")
 }
+
+func TestCipherSuites(t *testing.T) {
+	t.Parallel()
+
+	// default cipher suites
+	defaultCipherSuites := []uint16{
+		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
+	}
+	// the other cipher suites supported by Go
+	otherCipherSuites := []uint16{
+		tls.TLS_RSA_WITH_RC4_128_SHA,
+		tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+		tls.TLS_RSA_WITH_AES_128_CBC_SHA,
+		tls.TLS_RSA_WITH_AES_256_CBC_SHA,
+		tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
+		tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+		tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA,
+		tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+		tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+		tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+		tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+		tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+		tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+	}
+	certPEM, err := ioutil.ReadFile(filepath.Join("testdata", "certs",
+		"Org1-server1-cert.pem"))
+	assert.NoError(t, err)
+	keyPEM, err := ioutil.ReadFile(filepath.Join("testdata", "certs",
+		"Org1-server1-key.pem"))
+	assert.NoError(t, err)
+	caPEM, err := ioutil.ReadFile(filepath.Join("testdata", "certs",
+		"Org1-cert.pem"))
+	assert.NoError(t, err)
+	certPool, err := createCertPool([][]byte{caPEM})
+	assert.NoError(t, err)
+
+	serverConfig := comm.ServerConfig{
+		SecOpts: &comm.SecureOptions{
+			ServerCertificate: certPEM,
+			ServerKey:         keyPEM,
+			UseTLS:            true,
+		}}
+
+	var tests = []struct {
+		name          string
+		port          int
+		clientCiphers []uint16
+		success       bool
+	}{
+		{
+			name:    "server default / client all",
+			port:    8340,
+			success: true,
+		},
+		{
+			name:          "server default / client match",
+			port:          8341,
+			clientCiphers: defaultCipherSuites,
+			success:       true,
+		},
+		{
+			name:          "server default / client no match",
+			port:          8342,
+			clientCiphers: otherCipherSuites,
+			success:       false,
+		},
+	}
+
+	for _, test := range tests {
+		test := test
+		t.Run(test.name, func(t *testing.T) {
+			t.Parallel()
+			t.Logf("Running test %s ...", test.name)
+			address := fmt.Sprintf("localhost:%d", test.port)
+			srv, err := comm.NewGRPCServer(address, serverConfig)
+			assert.NoError(t, err)
+			go srv.Start()
+			defer srv.Stop()
+			tlsConfig := &tls.Config{
+				RootCAs:      certPool,
+				CipherSuites: test.clientCiphers,
+			}
+			_, err = tls.Dial("tcp", address, tlsConfig)
+			if test.success {
+				assert.NoError(t, err)
+			} else {
+				t.Log(err)
+				assert.Contains(t, err.Error(), "handshake failure")
+			}
+		})
+	}
+}