From ce1ad010e94f7efa75cda1bec6917f368f888ae9 Mon Sep 17 00:00:00 2001 From: Joshua Casey Date: Mon, 13 May 2024 20:42:15 -0500 Subject: [PATCH] Remove Legacy TLS Config, which is not used in the source code --- internal/crypto/ptls/ptls.go | 17 -------- internal/crypto/ptls/ptls_test.go | 65 ------------------------------- 2 files changed, 82 deletions(-) diff --git a/internal/crypto/ptls/ptls.go b/internal/crypto/ptls/ptls.go index 6ebd86e02..37f12785a 100644 --- a/internal/crypto/ptls/ptls.go +++ b/internal/crypto/ptls/ptls.go @@ -19,8 +19,6 @@ import ( "k8s.io/client-go/transport" ) -// TODO decide if we need to expose the four TLS levels (secure, default, default-ldap, legacy) as config. - // defaultServingOptionsMinTLSVersion is the minimum tls version in the format // expected by SecureServingOptions.MinTLSVersion from // k8s.io/apiserver/pkg/server/options. @@ -28,21 +26,6 @@ const defaultServingOptionsMinTLSVersion = "VersionTLS12" type ConfigFunc func(*x509.CertPool) *tls.Config -func Legacy(rootCAs *x509.CertPool) *tls.Config { - c := Default(rootCAs) - // add all the ciphers (even the crappy ones) except the ones that Go considers to be outright broken like 3DES - c.CipherSuites = suitesToIDs(tls.CipherSuites()) - return c -} - -func suitesToIDs(suites []*tls.CipherSuite) []uint16 { - out := make([]uint16, 0, len(suites)) - for _, suite := range suites { - out = append(out, suite.ID) - } - return out -} - func Merge(tlsConfigFunc ConfigFunc, tlsConfig *tls.Config) { secureTLSConfig := tlsConfigFunc(nil) diff --git a/internal/crypto/ptls/ptls_test.go b/internal/crypto/ptls/ptls_test.go index e3eff9935..f38ca3b99 100644 --- a/internal/crypto/ptls/ptls_test.go +++ b/internal/crypto/ptls/ptls_test.go @@ -5,11 +5,8 @@ package ptls import ( "crypto/tls" - "runtime" - "strings" "testing" - "github.com/coreos/go-semver/semver" "github.com/stretchr/testify/require" "k8s.io/apiserver/pkg/server/options" ) @@ -37,13 +34,6 @@ func TestDefaultServing(t *testing.T) { func TestMerge(t *testing.T) { t.Parallel() - runtimeVersion := runtime.Version() - if strings.HasPrefix(runtimeVersion, "go") { - runtimeVersion, _ = strings.CutPrefix(runtimeVersion, "go") - } - runtimeVersionSemver, err := semver.NewVersion(runtimeVersion) - require.NoError(t, err) - tests := []struct { name string tlsConfigFunc ConfigFunc @@ -167,33 +157,6 @@ func TestMerge(t *testing.T) { NextProtos: []string{"panda"}, }, }, - { - name: "legacy without NextProtos", - tlsConfigFunc: Legacy, - tlsConfig: &tls.Config{ - ServerName: "something-to-check-passthrough", - }, - want: &tls.Config{ - ServerName: "something-to-check-passthrough", - MinVersion: tls.VersionTLS12, - CipherSuites: wantLegacyCipherSuites(runtimeVersionSemver), - NextProtos: []string{"h2", "http/1.1"}, - }, - }, - { - name: "legacy with NextProtos", - tlsConfigFunc: Legacy, - tlsConfig: &tls.Config{ //nolint:gosec // not concerned with TLS MinVersion here - ServerName: "a different thing for passthrough", - NextProtos: []string{"panda"}, - }, - want: &tls.Config{ - ServerName: "a different thing for passthrough", - MinVersion: tls.VersionTLS12, - CipherSuites: wantLegacyCipherSuites(runtimeVersionSemver), - NextProtos: []string{"panda"}, - }, - }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { @@ -204,31 +167,3 @@ func TestMerge(t *testing.T) { }) } } - -func wantLegacyCipherSuites(runtime *semver.Version) []uint16 { - var ciphers []uint16 - if runtime.Major == 1 && runtime.Minor < 22 { - ciphers = append(ciphers, []uint16{ - tls.TLS_RSA_WITH_AES_128_CBC_SHA, - tls.TLS_RSA_WITH_AES_256_CBC_SHA, - tls.TLS_RSA_WITH_AES_128_GCM_SHA256, - tls.TLS_RSA_WITH_AES_256_GCM_SHA384, - }...) - } - ciphers = append(ciphers, []uint16{ - tls.TLS_AES_128_GCM_SHA256, - tls.TLS_AES_256_GCM_SHA384, - tls.TLS_CHACHA20_POLY1305_SHA256, - tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, - tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, - tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, - tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, - tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, - tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, - }...) - return ciphers -}