Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: make setting the cipher suite as an array or suites #6

Merged
merged 2 commits into from
Jul 15, 2024
Merged

fix: make setting the cipher suite as an array or suites #6

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0afc914
fix: make setting the cipher suite as an array or suites
mikefero Jul 15, 2024
1c5b28e
chore: add codecov configuration
mikefero Jul 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .github/workflows/lint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ on:
- 'docs/**'
- 'mk/**'
- '.gitignore'
- 'codecov.yml'
- 'kheper.yml'
- 'LICENSE'
- 'Makefile'
Expand All @@ -26,6 +27,7 @@ on:
- 'docs/**'
- 'mk/**'
- '.gitignore'
- 'codecov.yml'
- 'kheper.yml'
- 'LICENSE'
- 'Makefile'
Expand Down
96 changes: 61 additions & 35 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ the configuration options available:
| `nodes.connection.host` | `KHEPER_NODES_CONNECTION_HOST` | The RFC 1123 IP address or hostname of the control plane to connect to. |
| `nodes.connection.port` | `KHEPER_NODES_CONNECTION_PORT` | The port of the control plane to connect to (range 1-65535). |
| `nodes.connection.protocol` | `KHEPER_NODES_CONNECTION_PROTOCOL` | The protocol to use to communicate with the control plane. Supported values are 'standard' and 'jsonrpc'. (default: **standard**) |
| `nodes.connection.cipher_suite` | `KHEPER_NODES_CONNECTION_CIPHER_SUITE` | The OpenSSL or TLS cipher suite to use when connecting to the control plane. If not specified, the default cipher suite will be used. |
| `nodes.connection.cipher_suites` | `KHEPER_NODES_CONNECTION_CIPHER_SUITES` | The OpenSSL or TLS cipher suites to use when connecting to the control plane. Each cipher suite in the slice will be "round-robin" across the nodes based on the number of instances. If not specified, the default cipher suite will be used. |
| `nodes.connection.tls_version` | `KHEPER_NODES_CONNECTION_TLS_VERSION` | The TLS version to use when connecting to the control plane. If not specified, TLS v1.3 will be used. |
| `nodes.connection.certificate` | `KHEPER_NODES_CONNECTION_CERTIFICATE` | The TLS certificate in PEM format to use when connecting to the control plane. |
| `nodes.connection.key` | `KHEPER_NODES_CONNECTION_KEY` | The TLS key in PEM format to use when connecting to the control plane. |
Expand Down Expand Up @@ -167,7 +167,7 @@ defaults:

# Node configuration for single or multiple control planes
nodes:
- instances: 4
- instances: 6
hostname: sequential
id: sequential
versions:
Expand All @@ -177,25 +177,32 @@ nodes:
host: localhost
port: 8005
protocol: standard
cipher_suites:
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-ECDSA-CHACHA20-POLY1305
- ECDHE-ECDSA-AES128-SHA256
- ECDHE-ECDSA-AES128-SHA
- ECDHE-ECDSA-AES256-SHA
tls_version: TLSv1.2
certificate: |
-----BEGIN CERTIFICATE-----
MIIBgjCCASmgAwIBAgIUSeuxAz6iXgMudd+9QWEu94ntwKswCgYIKoZIzj0EAwIw
FjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wIBcNMjQwNjI4MTkzNDAzWhgPMjEyNDA2
MDQxOTM0MDNaMBYxFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYI
KoZIzj0DAQcDQgAExSkyUUI9kElUOzGwOafVUJzbZJXUxp72kVvc5HuTPGeW+kyc
AEu8rGLB4dIRMIJULIpgQatwSnVg4/b4MyWCqKNTMFEwHQYDVR0OBBYEFFJoQYAb
JAZNETIVjIWiAR9lfGARMB8GA1UdIwQYMBaAFFJoQYAbJAZNETIVjIWiAR9lfGAR
MA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgJA1PePfBp9L2ShyB
Z2bsZcriyD3RvP0ulp0s5yV8vxECIA04GmJQcEX5Jpp4pLxpBSy2g3ze/i2Vpyyg
5Qbe1fj7
MIIBkTCCATegAwIBAgIUNafcmtDPirW6BY512Kn4LVm49ggwCgYIKoZIzj0EAwIw
HTEbMBkGA1UEAwwSa2hlcGVyLmV4YW1wbGUuY29tMCAXDTI0MDcxNTE1NTExNloY
DzIxMjQwNjIxMTU1MTE2WjAdMRswGQYDVQQDDBJraGVwZXIuZXhhbXBsZS5jb20w
WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARnfTV7waofWrgsN86ueBRl+HuF5+3B
WQgRxu0s1XJqvEgTCsMObNo5c87PA9NpmP2t0O2S8mjonJ2VUOE896CPo1MwUTAd
BgNVHQ4EFgQU5qSZisQi+Gg5b/W8ianbh9+f1DcwHwYDVR0jBBgwFoAU5qSZisQi
+Gg5b/W8ianbh9+f1DcwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNIADBF
AiBxcYu26lPkyxqDjas6gAXIuyJLK4IlDkvkRQxU0Ko9zAIhAJF0vuSPLvp+4L/G
rrfgvmrE10iZPEm0/Iq2vlF/hZ63
-----END CERTIFICATE-----
key: |
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgQUiS3CZzgoSfdTG+
zAwolAeSTnkw2e//Ic9dRl8GVMmhRANCAATFKTJRQj2QSVQ7MbA5p9VQnNtkldTG
nvaRW9zke5M8Z5b6TJwAS7ysYsHh0hEwglQsimBBq3BKdWDj9vgzJYKo
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgc5u/SwkNIuzrCMxr
IxFc1FAzG1O4Rfm6lWxrFVrTAvahRANCAARnfTV7waofWrgsN86ueBRl+HuF5+3B
WQgRxu0s1XJqvEgTCsMObNo5c87PA9NpmP2t0O2S8mjonJ2VUOE896CP
-----END PRIVATE KEY-----

```

#### Example Environment Variables Configuration
Expand All @@ -218,29 +225,31 @@ export KHEPER_DEFAULTS_RECONNECTION_INTERVAL=10s
export KHEPER_DEFAULTS_RECONNECTION_JITTER=5s

# Nodes
export KHEPER_NODES_INSTANCES=4
export KHEPER_NODES_HOSTNAME=kheper.local
export KHEPER_NODES_ID=unique
export KHEPER_NODES_INSTANCES=6
export KHEPER_NODES_HOSTNAME=sequential
export KHEPER_NODES_ID=sequential
export KHEPER_NODES_VERSIONS=3.7.1,3.7.0
export KHEPER_NODES_CONNECTION_HOST=localhost
export KHEPER_NODES_CONNECTION_PORT=8005
export KHEPER_NODES_CONNECTION_PROTOCOL=standard
export KHEPER_NODES_CONNECTION_CIPHER_SUITE="ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES128-SHA256,ECDHE-ECDSA-AES128-SHA,ECDHE-ECDSA-AES256-SHA"
export KHEPER_NODES_CONNECTION_TLS_VERSION=TLSv1.2
export KHEPER_NODES_CONNECTION_CERTIFICATE="-----BEGIN CERTIFICATE-----
MIIBgjCCASmgAwIBAgIUSeuxAz6iXgMudd+9QWEu94ntwKswCgYIKoZIzj0EAwIw
FjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wIBcNMjQwNjI4MTkzNDAzWhgPMjEyNDA2
MDQxOTM0MDNaMBYxFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYI
KoZIzj0DAQcDQgAExSkyUUI9kElUOzGwOafVUJzbZJXUxp72kVvc5HuTPGeW+kyc
AEu8rGLB4dIRMIJULIpgQatwSnVg4/b4MyWCqKNTMFEwHQYDVR0OBBYEFFJoQYAb
JAZNETIVjIWiAR9lfGARMB8GA1UdIwQYMBaAFFJoQYAbJAZNETIVjIWiAR9lfGAR
MA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgJA1PePfBp9L2ShyB
Z2bsZcriyD3RvP0ulp0s5yV8vxECIA04GmJQcEX5Jpp4pLxpBSy2g3ze/i2Vpyyg
5Qbe1fj7
MIIBkTCCATegAwIBAgIUNafcmtDPirW6BY512Kn4LVm49ggwCgYIKoZIzj0EAwIw
HTEbMBkGA1UEAwwSa2hlcGVyLmV4YW1wbGUuY29tMCAXDTI0MDcxNTE1NTExNloY
DzIxMjQwNjIxMTU1MTE2WjAdMRswGQYDVQQDDBJraGVwZXIuZXhhbXBsZS5jb20w
WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARnfTV7waofWrgsN86ueBRl+HuF5+3B
WQgRxu0s1XJqvEgTCsMObNo5c87PA9NpmP2t0O2S8mjonJ2VUOE896CPo1MwUTAd
BgNVHQ4EFgQU5qSZisQi+Gg5b/W8ianbh9+f1DcwHwYDVR0jBBgwFoAU5qSZisQi
+Gg5b/W8ianbh9+f1DcwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNIADBF
AiBxcYu26lPkyxqDjas6gAXIuyJLK4IlDkvkRQxU0Ko9zAIhAJF0vuSPLvp+4L/G
rrfgvmrE10iZPEm0/Iq2vlF/hZ63
-----END CERTIFICATE-----"
export KHEPER_NODES_CONNECTION_KEY="-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgQUiS3CZzgoSfdTG+
zAwolAeSTnkw2e//Ic9dRl8GVMmhRANCAATFKTJRQj2QSVQ7MbA5p9VQnNtkldTG
nvaRW9zke5M8Z5b6TJwAS7ysYsHh0hEwglQsimBBq3BKdWDj9vgzJYKo
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgc5u/SwkNIuzrCMxr
IxFc1FAzG1O4Rfm6lWxrFVrTAvahRANCAARnfTV7waofWrgsN86ueBRl+HuF5+3B
WQgRxu0s1XJqvEgTCsMObNo5c87PA9NpmP2t0O2S8mjonJ2VUOE896CP
-----END PRIVATE KEY-----"
export KHEPER_NODES_CONNECTION_PROTOCOL=standard
```

### Hostname and ID
Expand Down Expand Up @@ -398,17 +407,34 @@ The Kheper Mock Data Plane Node Application provides an Admin API to manage and

### Generating a Certificate and Key Pair

Here is an example of how to generate a certificate and key pair:
Here is an example of how to generate a certificate and key pair using OpenSSL
for multiple cipher suites:

#### Elliptic Curve Key Pair

```bash
openssl req \
-new \
-newkey ec:<(openssl ecparam -name prime256v1) \
-keyout docker/kong/cluster_ec.key \
-nodes \
-x509 \
-days 36500 \
-out docker/kong/cluster_ec.crt \
-subj "/CN=kheper.example.com"
```

#### RSA Key Pair

```bash
openssl req \
-new \
-newkey ec:<(openssl ecparam -name secp256k1) \
-keyout cluster.key \
-newkey rsa:2048 \
-keyout docker/kong/cluster_rsa.key \
-nodes \
-x509 \
-days 36500 \
-out cluster.crt \
-out docker/kong/cluster_rsa.crt \
-subj "/CN=kheper.example.com"
```

Expand Down
2 changes: 2 additions & 0 deletions codecov.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
ignore:
- "main.go"
11 changes: 0 additions & 11 deletions docker/kong/cluster.crt
View file
Open in desktop

This file was deleted.

5 changes: 0 additions & 5 deletions docker/kong/cluster.key
View file
Open in desktop

This file was deleted.

11 changes: 11 additions & 0 deletions docker/kong/cluster_ec.crt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
-----BEGIN CERTIFICATE-----
MIIBkTCCATegAwIBAgIUNafcmtDPirW6BY512Kn4LVm49ggwCgYIKoZIzj0EAwIw
HTEbMBkGA1UEAwwSa2hlcGVyLmV4YW1wbGUuY29tMCAXDTI0MDcxNTE1NTExNloY
DzIxMjQwNjIxMTU1MTE2WjAdMRswGQYDVQQDDBJraGVwZXIuZXhhbXBsZS5jb20w
WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARnfTV7waofWrgsN86ueBRl+HuF5+3B
WQgRxu0s1XJqvEgTCsMObNo5c87PA9NpmP2t0O2S8mjonJ2VUOE896CPo1MwUTAd
BgNVHQ4EFgQU5qSZisQi+Gg5b/W8ianbh9+f1DcwHwYDVR0jBBgwFoAU5qSZisQi
+Gg5b/W8ianbh9+f1DcwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNIADBF
AiBxcYu26lPkyxqDjas6gAXIuyJLK4IlDkvkRQxU0Ko9zAIhAJF0vuSPLvp+4L/G
rrfgvmrE10iZPEm0/Iq2vlF/hZ63
-----END CERTIFICATE-----
5 changes: 5 additions & 0 deletions docker/kong/cluster_ec.key
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgc5u/SwkNIuzrCMxr
IxFc1FAzG1O4Rfm6lWxrFVrTAvahRANCAARnfTV7waofWrgsN86ueBRl+HuF5+3B
WQgRxu0s1XJqvEgTCsMObNo5c87PA9NpmP2t0O2S8mjonJ2VUOE896CP
-----END PRIVATE KEY-----
19 changes: 19 additions & 0 deletions docker/kong/cluster_rsa.crt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
-----BEGIN CERTIFICATE-----
MIIDHTCCAgWgAwIBAgIUE7dM+8Hrks0ovpZcjC25yohsxDswDQYJKoZIhvcNAQEL
BQAwHTEbMBkGA1UEAwwSa2hlcGVyLmV4YW1wbGUuY29tMCAXDTI0MDcxNTE1NTI1
MloYDzIxMjQwNjIxMTU1MjUyWjAdMRswGQYDVQQDDBJraGVwZXIuZXhhbXBsZS5j
b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+X8k7+CVqWhELxc5I
9QW8yiu0769zmUZzJs/FKg/yQKxQviREXO9X/D7abN4glfD+AUoLvXfBmlsS+57E
/YvgacP/7fr5k9czf1dBpcSAWBIitKo3IGuGmLErDRtf1jHD3FJPkGd+heD0/8AH
p2Muz/LON2NnJFbpEbbizLf00DcN7A3s1foGYVPg+MRnOxDK1Ic2tnuiBskrA0YJ
l7zSOGC88ku7JEo7Q213bFf0XeW7xFaR+PEnO35tVD9r1O3LVpQ/m22tZw1c86lt
bGCaglSQVF+36MhWD3iqxlDqobGbQcMZ1XZfDo6nz1bUv2yUVyhYSOq/S7dL+ujZ
dMaHAgMBAAGjUzBRMB0GA1UdDgQWBBSeSOtSiCRYY+qHFHpxT9CnMrhyNjAfBgNV
HSMEGDAWgBSeSOtSiCRYY+qHFHpxT9CnMrhyNjAPBgNVHRMBAf8EBTADAQH/MA0G
CSqGSIb3DQEBCwUAA4IBAQBTCnlmRSWdwYXlWIn7h4whQFjbwyiQ9oimJaHmPL+c
ZsWyIZLeGcmtCnxDZWD+Ffb2sR6adFAl4ubmxwJwNLFUkSsJIUwyeeFXXeDMrJHC
Y2ZmRjA6wB/4IaSQZpMMZ9mQpwRBuaFwp5Tt3aEirDrd1GD1d79wNdplNU8z7H11
lLOUT29rRi6OHrePTlNVpgpbYZmHoJQvZ4w+pycLimwbbrUvSKZyVe55mS5XmKyW
ZARHVS3XlLuy87GZ0a7BlFgplLG9LB3teViy37dSFl5gCKVJxccAHP0pzR5W+Nwo
Uk5NshIdqWOc2rHSuKbiy0sctY6TPQ8oSgo3vhZZCv10
-----END CERTIFICATE-----
28 changes: 28 additions & 0 deletions docker/kong/cluster_rsa.key
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC+X8k7+CVqWhEL
xc5I9QW8yiu0769zmUZzJs/FKg/yQKxQviREXO9X/D7abN4glfD+AUoLvXfBmlsS
+57E/YvgacP/7fr5k9czf1dBpcSAWBIitKo3IGuGmLErDRtf1jHD3FJPkGd+heD0
/8AHp2Muz/LON2NnJFbpEbbizLf00DcN7A3s1foGYVPg+MRnOxDK1Ic2tnuiBskr
A0YJl7zSOGC88ku7JEo7Q213bFf0XeW7xFaR+PEnO35tVD9r1O3LVpQ/m22tZw1c
86ltbGCaglSQVF+36MhWD3iqxlDqobGbQcMZ1XZfDo6nz1bUv2yUVyhYSOq/S7dL
+ujZdMaHAgMBAAECggEAAmqh2cztE9wGOMS8H4LCUPxGylp7VJE4atBhaJdl/p7u
iqA9qQNK/UfUHmt6W4yIgH9QsTR1ZDPXsYNLJ4uWYagscKYhmCOilcjchfznyr9G
pg67O5obc088R7EembyIAvxb34ThCdY2N4K7+jAYQYLEClt7btajWclu4MZVFKdY
UIHZZUkQuEQP79SEVMiAzL9byVAOMHGutin3feK+LPrvgOOKBEVOTV0Z20Y9w0v6
I4GLUBvyfLPJGakXMe98aZ6o6bMaeuAIQxzSyGHOgEgFbTum76uPloS8Q6gEqowV
Qub23OVGoQq+oyajV4vsjRzxOouM3iKuspSlgmsfkQKBgQD6gHKdJB4qXrS3gtWV
TbjtdIfO4N13JK43R1RRyKYeo+iPKJUw3ff+5Lu7PeOVmH6PNhI1CzYkZxsAxzYg
94ZP3CR5ZMCE8c8h0SJx3XHk+cvkd3w0LrFo8tcNfkypkCWEGVYjAojxCtEwMiS9
v6mKBS1Cau7fG6SCF+ZG3UfYkQKBgQDCjXxNMyxwX1UnP5A5cHZLshPPfEUvDHrF
slxvTGlWImYyE3FaEYqnBRqZlUy9k84n4CxqsCHMBwlBqIVQc8ovrFWrGaB6Q7qm
uV2axc22p2oOl3tGq76SK1Rdot0yfQ8GB8ZW3SBK4sHaUnBgtgnSm4FvLaSS1EJL
EEcyGv/5lwKBgQD2Bp2KtGRkHKvE6Fy4zKLppF+V0cfxMjdg1097G2P8B+NqZuNQ
IVFmKGQw2/HfhOwX33U2X5KHYjRlKUKCUli5qm6wQ0HJ0GwsvGfmCSXJS4TzGF8G
KS3Y81g/SmIkzwvpl7C/pce1ZXhaq4TmT41Fnxv6dWex/EYv9yUVSFM94QKBgQDA
HMxwwyaPtGO2xPqa7aWyq58KVNFQW0dkrvK96LtflcpKio50/TtoIA8bN6W20hxR
nfjeRRyqhwwp7MnwHta5ariRo1WnRfgrKIH5EnhHdFuzGvxdVbxyRB0j9W3trDZI
oybEociAihgYiS11ImzirjIK4gxP/Q+VZfaX0LeR8wKBgQCpMSedawSULJ2w/lXM
fiNA1ei7Pp/VkwWawiVVNRI7chKQNytmZnqNFqChNLTg9+hu+E54aknmx4SLo7nR
xSSLNLo5XG4wFcdymW9U+XDO4NKZjfLc4c05s8+3H7mS8BK8JZZV9q7Nic/RjeQS
9G1tzT8rrJifP/BJ71n0Re7q1A==
-----END PRIVATE KEY-----
4 changes: 2 additions & 2 deletions docker/kong/docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,5 +64,5 @@ services:
sysctls:
net.ipv6.conf.all.disable_ipv6: "0"
volumes:
- ./cluster.crt:/cluster.crt:ro
- ./cluster.key:/cluster.key:ro
- ./cluster_ec.crt:/cluster.crt:ro
- ./cluster_ec.key:/cluster.key:ro
13 changes: 10 additions & 3 deletions internal/config/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,9 +103,10 @@ type Connection struct {
Port int `yaml:"port" mapstructure:"port"`
// Protocol is the protocol to use to communicate with the control plane.
Protocol string `yaml:"protocol" mapstructure:"protocol"`
// CipherSuite is the TLS cipher suite to use when connecting to the control
// plane.
CipherSuite string `yaml:"cipher_suite" mapstructure:"cipher_suite"`
// CipherSuites is the TLS cipher suite to use when connecting to the control
// plane. Each cipher suite in the slice will be "round-robin" across the
// nodes based on the number of instances.
CipherSuites []string `yaml:"cipher_suites" mapstructure:"cipher_suites"`
// TLSVersion is the TLS cipher version to use when connecting to the control
// plane.
TLSVersion string `yaml:"tls_version" mapstructure:"tls_version"`
Expand Down Expand Up @@ -181,6 +182,12 @@ func NewConfig() (*Config, error) {
if err := viper.BindEnv("nodes.connection.key"); err != nil {
return nil, fmt.Errorf("unable to bind nodes.connection.key environment variable: %w", err)
}
if err := viper.BindEnv("nodes.connection.cipher_suites"); err != nil {
return nil, fmt.Errorf("unable to bind nodes.connection.cipher_suites environment variable: %w", err)
}
if err := viper.BindEnv("nodes.connection.tls_version"); err != nil {
return nil, fmt.Errorf("unable to bind nodes.connection.tls_version environment variable: %w", err)
}

// Enable automatic environment variable binding
viper.AutomaticEnv()
Expand Down
12 changes: 12 additions & 0 deletions internal/config/config_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -251,6 +251,8 @@ nodes:
t.Setenv("KHEPER_NODES_HOSTNAME", "kheper.local")
t.Setenv("KHEPER_NODES_ID", "unique")
t.Setenv("KHEPER_NODES_CONNECTION_PROTOCOL", "jsonrpc")
t.Setenv("KHEPER_NODES_CONNECTION_CIPHER_SUITES", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256")
t.Setenv("KHEPER_NODES_CONNECTION_TLS_VERSION", "TLS1.2")
t.Setenv("KHEPER_NODES_VERSIONS", "3.6.0.0,3.5.0.0")
actual, err := config.NewConfig()
if err != nil {
Expand Down Expand Up @@ -278,6 +280,11 @@ nodes:
{
Connection: config.Connection{
Protocol: "jsonrpc",
CipherSuites: []string{
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
},
TLSVersion: "TLS1.2",
},
Instances: 5,
Hostname: "kheper.local",
Expand Down Expand Up @@ -312,6 +319,11 @@ nodes:
{
Connection: config.Connection{
Protocol: "jsonrpc",
CipherSuites: []string{
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
},
TLSVersion: "TLS1.2",
},
Instances: 5,
Hostname: "kheper.local",
Expand Down
6 changes: 3 additions & 3 deletions internal/utils/cipher_suite.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -153,9 +153,9 @@ func TLSVersion(tlsVersion string) (uint16, error) {
}
}

// IsCipherSuiteValid returns true if the given cipher suite is supported by the
// given TLS version.
func IsCipherSuiteValid(cipherSuite uint16, tlsVersion uint16) bool {
// ValidateCipherSuite returns true if the given cipher suite is supported by
// the given TLS version.
func ValidateCipherSuite(cipherSuite uint16, tlsVersion uint16) bool {
versions, ok := cipherSuiteToTLSVersion[cipherSuite]
if !ok {
return false
Expand Down
2 changes: 1 addition & 1 deletion internal/utils/cipher_suite_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -181,7 +181,7 @@ func TestCipherSuite(t *testing.T) {
t.Run(tls.CipherSuiteName(tt.cipherSuite), func(t *testing.T) {
t.Parallel()

require.Equal(t, tt.expected, utils.IsCipherSuiteValid(tt.cipherSuite, tt.tlsVersion))
require.Equal(t, tt.expected, utils.ValidateCipherSuite(tt.cipherSuite, tt.tlsVersion))
})
}
})
Expand Down
34 changes: 21 additions & 13 deletions kheper.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ defaults:

# Node configuration for single or multiple control planes
nodes:
- instances: 4
- instances: 6
hostname: sequential
id: sequential
versions:
Expand All @@ -27,21 +27,29 @@ nodes:
host: localhost
port: 8005
protocol: standard
cipher_suites:
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-ECDSA-CHACHA20-POLY1305
- ECDHE-ECDSA-AES128-SHA256
- ECDHE-ECDSA-AES128-SHA
- ECDHE-ECDSA-AES256-SHA
tls_version: TLSv1.2
certificate: |
-----BEGIN CERTIFICATE-----
MIIBgjCCASmgAwIBAgIUSeuxAz6iXgMudd+9QWEu94ntwKswCgYIKoZIzj0EAwIw
FjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wIBcNMjQwNjI4MTkzNDAzWhgPMjEyNDA2
MDQxOTM0MDNaMBYxFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYI
KoZIzj0DAQcDQgAExSkyUUI9kElUOzGwOafVUJzbZJXUxp72kVvc5HuTPGeW+kyc
AEu8rGLB4dIRMIJULIpgQatwSnVg4/b4MyWCqKNTMFEwHQYDVR0OBBYEFFJoQYAb
JAZNETIVjIWiAR9lfGARMB8GA1UdIwQYMBaAFFJoQYAbJAZNETIVjIWiAR9lfGAR
MA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgJA1PePfBp9L2ShyB
Z2bsZcriyD3RvP0ulp0s5yV8vxECIA04GmJQcEX5Jpp4pLxpBSy2g3ze/i2Vpyyg
5Qbe1fj7
MIIBkTCCATegAwIBAgIUNafcmtDPirW6BY512Kn4LVm49ggwCgYIKoZIzj0EAwIw
HTEbMBkGA1UEAwwSa2hlcGVyLmV4YW1wbGUuY29tMCAXDTI0MDcxNTE1NTExNloY
DzIxMjQwNjIxMTU1MTE2WjAdMRswGQYDVQQDDBJraGVwZXIuZXhhbXBsZS5jb20w
WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARnfTV7waofWrgsN86ueBRl+HuF5+3B
WQgRxu0s1XJqvEgTCsMObNo5c87PA9NpmP2t0O2S8mjonJ2VUOE896CPo1MwUTAd
BgNVHQ4EFgQU5qSZisQi+Gg5b/W8ianbh9+f1DcwHwYDVR0jBBgwFoAU5qSZisQi
+Gg5b/W8ianbh9+f1DcwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNIADBF
AiBxcYu26lPkyxqDjas6gAXIuyJLK4IlDkvkRQxU0Ko9zAIhAJF0vuSPLvp+4L/G
rrfgvmrE10iZPEm0/Iq2vlF/hZ63
-----END CERTIFICATE-----
key: |
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgQUiS3CZzgoSfdTG+
zAwolAeSTnkw2e//Ic9dRl8GVMmhRANCAATFKTJRQj2QSVQ7MbA5p9VQnNtkldTG
nvaRW9zke5M8Z5b6TJwAS7ysYsHh0hEwglQsimBBq3BKdWDj9vgzJYKo
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgc5u/SwkNIuzrCMxr
IxFc1FAzG1O4Rfm6lWxrFVrTAvahRANCAARnfTV7waofWrgsN86ueBRl+HuF5+3B
WQgRxu0s1XJqvEgTCsMObNo5c87PA9NpmP2t0O2S8mjonJ2VUOE896CP
-----END PRIVATE KEY-----
Loading