Merge pull request #3469 from AmaliMatharaarachchi/downstream-tls

Add downstream tls configs

adapter/config/default_config.go

@@ -134,6 +134,11 @@ var defaultConfig = &Config{
 		},
 		Downstream: envoyDownstream{
 			TLS: downstreamTLS{
+				MinimumProtocolVersion: "TLS1_1",
+				MaximumProtocolVersion: "TLS1_2",
+				Ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-RSA-AES128-SHA, " +
+					"AES128-GCM-SHA256, AES128-SHA, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-GCM-SHA384, " +
+					"ECDHE-ECDSA-AES256-SHA, ECDHE-RSA-AES256-SHA, AES256-GCM-SHA384, AES256-SHA",
 				TrustedCertPath: "/etc/ssl/certs/ca-certificates.crt",
 				MTLSAPIsEnabled: false,
 			},

adapter/config/types.go

@@ -278,8 +278,11 @@ type envoyDownstream struct {
 }
 
 type downstreamTLS struct {
-	TrustedCertPath string
-	MTLSAPIsEnabled bool
+	MTLSAPIsEnabled        bool
+	MinimumProtocolVersion string
+	MaximumProtocolVersion string
+	Ciphers                string
+	TrustedCertPath        string
 }
 
 type upstreamTLS struct {

adapter/internal/oasparser/envoyconf/listener.go

@@ -21,6 +21,7 @@ import (
 	"errors"
 	"fmt"
 	"strconv"
+	"strings"
 	"time"
 
 	corev3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
@@ -161,7 +162,6 @@ func createListeners(conf *config.Config) []*listenerv3.Listener {
 	filters = append(filters, &connectionManagerFilterP)
 
 	if conf.Envoy.SecuredListenerPort > 0 {
-		var tlsFilter *tlsv3.DownstreamTlsContext
 
 		listenerHostAddress := defaultListenerHostAddress
 		if len(conf.Envoy.SecuredListenerHost) > 0 {
@@ -190,35 +190,40 @@ func createListeners(conf *config.Config) []*listenerv3.Listener {
 		}
 
 		tlsCert := generateTLSCert(conf.Envoy.KeyStore.KeyPath, conf.Envoy.KeyStore.CertPath)
+		// Convert the cipher string to a string array
+		ciphersArray := strings.Split(conf.Envoy.Downstream.TLS.Ciphers, ",")
+		for i := range ciphersArray {
+			ciphersArray[i] = strings.TrimSpace(ciphersArray[i])
+		}
+
+		tlsFilter := &tlsv3.DownstreamTlsContext{
+			CommonTlsContext: &tlsv3.CommonTlsContext{
+				//TlsCertificateSdsSecretConfigs
+				TlsCertificates: []*tlsv3.TlsCertificate{tlsCert},
+				TlsParams: &tlsv3.TlsParameters{
+					TlsMinimumProtocolVersion: createTLSProtocolVersion(conf.Envoy.Downstream.TLS.MinimumProtocolVersion),
+					TlsMaximumProtocolVersion: createTLSProtocolVersion(conf.Envoy.Downstream.TLS.MaximumProtocolVersion),
+					CipherSuites:              ciphersArray,
+				},
+			},
+		}
+
 		//TODO: (VirajSalaka) Make it configurable via SDS
 		if conf.Envoy.Downstream.TLS.MTLSAPIsEnabled {
-			tlsFilter = &tlsv3.DownstreamTlsContext{
-				// This is false since the authentication will be done at the enforcer
-				RequireClientCertificate: &wrappers.BoolValue{
-					Value: false,
-				},
-				CommonTlsContext: &tlsv3.CommonTlsContext{
-					//TlsCertificateSdsSecretConfigs
-					TlsCertificates: []*tlsv3.TlsCertificate{tlsCert},
-					//For the purpose of including peer certificate into the request context
-					ValidationContextType: &tlsv3.CommonTlsContext_ValidationContext{
-						ValidationContext: &tlsv3.CertificateValidationContext{
-							TrustedCa: &corev3.DataSource{
-								Specifier: &corev3.DataSource_Filename{
-									Filename: conf.Envoy.Downstream.TLS.TrustedCertPath,
-								},
-							},
+			// This is false since the authentication will be done at the enforcer
+			tlsFilter.RequireClientCertificate = &wrappers.BoolValue{
+				Value: false,
+			}
+			//For the purpose of including peer certificate into the request context
+			tlsFilter.CommonTlsContext.ValidationContextType = &tlsv3.CommonTlsContext_ValidationContext{
+				ValidationContext: &tlsv3.CertificateValidationContext{
+					TrustedCa: &corev3.DataSource{
+						Specifier: &corev3.DataSource_Filename{
+							Filename: conf.Envoy.Downstream.TLS.TrustedCertPath,
 						},
 					},
 				},
 			}
-		} else {
-			tlsFilter = &tlsv3.DownstreamTlsContext{
-				CommonTlsContext: &tlsv3.CommonTlsContext{
-					//TlsCertificateSdsSecretConfigs
-					TlsCertificates: []*tlsv3.TlsCertificate{tlsCert},
-				},
-			}
 		}
 
 		marshalledTLSFilter, err := anypb.New(tlsFilter)

resources/conf/config.toml.template

@@ -211,9 +211,15 @@ soapErrorInXMLEnabled = false
   # Maximum concurrent streams allowed for peer on one HTTP/2 connection
   maxConcurrentStreams = 2147483647
 
-[router.downstream]
-# The configurations for SSL configuration related to the client connection in Choreo Connect
+# The configurations for SSL configuration related to the downstream connection in Choreo Connect
 [router.downstream.tls]
+  # Minimum TLS protocol version
+  minimumProtocolVersion = "TLS1_1"
+  # Maximum TLS protocol version
+  maximumProtocolVersion = "TLS1_2"
+  # If specified, the TLS listener will only support the specified ciphers when negotiating TLS 1.0-1.2 
+  # (this setting has no effect when negotiating TLS 1.3)
+  ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-RSA-AES128-SHA, AES128-GCM-SHA256, AES128-SHA, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA, ECDHE-RSA-AES256-SHA, AES256-GCM-SHA384, AES256-SHA"  
   # Path to trusted certificates
   trustedCertPath = "/etc/ssl/certs/ca-certificates.crt"
   # If configured true, router enables the client certificate validation for providing client certificates