[lxc-devel] [lxd/master] Allow relaxing cipher list

stgraber on Github lxc-bot at linuxcontainers.org
Mon Oct 15 16:20:01 UTC 2018 

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 301 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20181015/5b4c1229/attachment.bin>
-------------- next part --------------
From ac40345be2b34a9902b585cbb2f4a525b151d756 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Mon, 15 Oct 2018 12:00:45 -0400
Subject: [PATCH 1/2] shared/network: Allow TLS1.3
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 shared/network.go | 1 -
 1 file changed, 1 deletion(-)

diff --git a/shared/network.go b/shared/network.go
index 78da2966b7..d71dffb046 100644
--- a/shared/network.go
+++ b/shared/network.go
@@ -49,7 +49,6 @@ func RFC3493Dialer(network, address string) (net.Conn, error) {
 func InitTLSConfig() *tls.Config {
 	return &tls.Config{
 		MinVersion: tls.VersionTLS12,
-		MaxVersion: tls.VersionTLS12,
 		CipherSuites: []uint16{
 			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
 			tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,

From f94b460532f04885592c15d38078024a82ab5057 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Mon, 15 Oct 2018 12:15:46 -0400
Subject: [PATCH 2/2] global: Implement LXD_INSECURE_TLS env variable
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This introduces a new `LXD_INSECURE_TLS` environment variable which when
set to true will disable our restrictive list of ciphers for client to
server communications as well as image and instance type retrieval.

This effectively makes it possible to perform downgrade attacks against
LXD, breaking perfect forward secrecy and isn't something that should
ever be used unless your environment gives you no choice
(intercepting TLS proxy).

Communications between LXD servers (container or storage migration) as
well as communications within a LXD cluster WILL NOT respect this
environment variable and will keep enforcing a very strict list of
ciphers. That's because those communications should never be proxied in
the first place.

This is only available through environment variables due to how widely
used and deep our TLS code is and the need for both the CLI and daemon
to know about this (so a daemon config option wouldn't be sufficient).

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 client/util.go     | 6 ++++++
 doc/environment.md | 1 +
 shared/cert.go     | 6 ++++++
 3 files changed, 13 insertions(+)

diff --git a/client/util.go b/client/util.go
index bfb1ff172a..1d8a6e2a51 100644
--- a/client/util.go
+++ b/client/util.go
@@ -7,6 +7,7 @@ import (
 	"net"
 	"net/http"
 	"net/url"
+	"os"
 	"strings"
 
 	"github.com/lxc/lxd/shared"
@@ -19,6 +20,11 @@ func tlsHTTPClient(client *http.Client, tlsClientCert string, tlsClientKey strin
 		return nil, err
 	}
 
+	// Support disabling of strict ciphers
+	if shared.IsTrue(os.Getenv("LXD_INSECURE_TLS")) {
+		tlsConfig.CipherSuites = nil
+	}
+
 	// Define the http transport
 	transport := &http.Transport{
 		TLSClientConfig:   tlsConfig,
diff --git a/doc/environment.md b/doc/environment.md
index 1fed8f7936..2e2ab8767e 100644
--- a/doc/environment.md
+++ b/doc/environment.md
@@ -6,6 +6,7 @@ the user's environment and to turn some advanced features on and off.
 Name                            | Description
 :---                            | :----
 `LXD_DIR`                       | The LXD data directory
+`LXD_INSECURE_TLS`              | If set to true, allows all default Go ciphers both for client <-> server communication and server <-> image servers (server <-> server and clustering are not affected)
 `PATH`                          | List of paths to look into when resolving binaries
 `http_proxy`                    | Proxy server URL for HTTP
 `https_proxy`                   | Proxy server URL for HTTPs
diff --git a/shared/cert.go b/shared/cert.go
index b4f9d53b27..4fb9364f00 100644
--- a/shared/cert.go
+++ b/shared/cert.go
@@ -364,6 +364,12 @@ func GetRemoteCertificate(address string) (*x509.Certificate, error) {
 	}
 
 	tlsConfig.InsecureSkipVerify = true
+
+	// Support disabling of strict ciphers
+	if IsTrue(os.Getenv("LXD_INSECURE_TLS")) {
+		tlsConfig.CipherSuites = nil
+	}
+
 	tr := &http.Transport{
 		TLSClientConfig: tlsConfig,
 		Dial:            RFC3493Dialer,

More information about the lxc-devel mailing list