ptls

package
v0.32.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 18, 2024 License: Apache-2.0 Imports: 20 Imported by: 0

Documentation

Index

Constants

View Source
const SecureTLSConfigMinTLSVersion = tls.VersionTLS13

SecureTLSConfigMinTLSVersion is the minimum tls version in the format expected by tls.Config.

Variables

This section is empty.

Functions

func Default

func Default(rootCAs *x509.CertPool) *tls.Config

Default TLS profile should be used by: A. servers whose clients are outside our control and who may reasonably wish to use TLS 1.2, and B. clients who need to interact with servers that might not support TLS 1.3. Note that this will behave differently when compiled in FIPS mode (see profiles_fips_strict.go). Default returns a tls.Config with a minimum of TLS1.2+ and a few ciphers that can be further constrained by configuration.

func DefaultLDAP

func DefaultLDAP(rootCAs *x509.CertPool) *tls.Config

DefaultLDAP TLS profile should be used by clients who need to interact with potentially old LDAP servers that might not support TLS 1.3 and that might use older ciphers. Note that this will behave differently when compiled in FIPS mode (see profiles_fips_strict.go).

func LogAllProfiles added in v0.32.0

func LogAllProfiles(log plog.Logger)

func Merge

func Merge(tlsConfigFunc ConfigFunc, tlsConfig *tls.Config)

func Secure

func Secure(rootCAs *x509.CertPool) *tls.Config

Secure TLS profile should be used by: A. servers whose clients are entirely known by us and who may reasonably be told that they must use TLS 1.3, and B. clients who only need to interact with servers that are known by us to support TLS 1.3 (e.g. the Kubernetes API). Note that this will behave differently when compiled in FIPS mode (see profiles_fips_strict.go).

func SecureServing added in v0.31.0

func SecureServing(opts *options.SecureServingOptionsWithLoopback)

SecureServing modifies the given options to have the appropriate MinTLSVersion and CipherSuites. This function should only be used by the implementation of ptls.SecureRecommendedOptions, which is called to help configure our aggregated API servers. This exists only because it needs to behave differently in FIPS mode. This function is only public so we can integration test it in ptls_fips_test.go. Note that this will behave differently when compiled in FIPS mode (see profiles_fips_strict.go).

func SetUserConfiguredAllowedCipherSuitesForTLSOneDotTwo added in v0.32.0

func SetUserConfiguredAllowedCipherSuitesForTLSOneDotTwo(userConfiguredAllowedCipherSuitesForTLSOneDotTwo []string) error

SetUserConfiguredAllowedCipherSuitesForTLSOneDotTwo allows configuration/setup components to constrain the allowed TLS ciphers for TLS1.2. It implements SetAllowedCiphersFunc.

Types

type ConfigFunc

type ConfigFunc func(*x509.CertPool) *tls.Config

type PrepareServerConfigFunc added in v0.29.0

type PrepareServerConfigFunc func(c *genericapiserver.RecommendedConfig)

PrepareServerConfigFunc is a function that can prepare a RecommendedConfig before the use of RecommendedOptions.ApplyTo().

func DefaultRecommendedOptions

func DefaultRecommendedOptions(opts *options.RecommendedOptions, f RestConfigFunc) (PrepareServerConfigFunc, error)

DefaultRecommendedOptions configures the RecommendedOptions for a server to use the appropriate cipher suites, min TLS version, and client configuration options for servers that need to accept incoming connections from arbitrary clients (like the impersonation proxy). It returns a PrepareServerConfigFunc which must be used on a RecommendedConfig before passing it to RecommendedOptions.ApplyTo().

func SecureRecommendedOptions

func SecureRecommendedOptions(opts *options.RecommendedOptions, f RestConfigFunc) (PrepareServerConfigFunc, error)

SecureRecommendedOptions configures the RecommendedOptions for a server to use the appropriate cipher suites, min TLS version, and client configuration options for servers that only need to accept incoming connections from certain well known clients which we expect will always use modern TLS settings (like the Kube API server). It returns a PrepareServerConfigFunc which must be used on a RecommendedConfig before passing it to RecommendedOptions.ApplyTo().

type RestConfigFunc

type RestConfigFunc func(*rest.Config) (kubernetes.Interface, *rest.Config, error)

RestConfigFunc allows this package to not depend on the kubeclient package.

type SetAllowedCiphersFunc added in v0.32.0

type SetAllowedCiphersFunc func([]string) error

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL