Reject handshakes with bad TLS protocols and ciphers (#970)

* Reject handshakes with bad TLS protocols and ciphers * Fix protocols * make cipher suite list static and fix tests * Delete unnecessary line * Add start time configuration for enforcement * small format fix * Add multiple ciphersuite test * fix gradle lint * fix indentation
2025-07-25 20:18:34 +02:00 · 2021-03-03 15:47:42 -05:00 · 2021-03-03 15:47:42 -05:00 · c35f92f54b
commit c35f92f54b
parent cd415fe846
13 changed files with 292 additions and 12 deletions
--- a/proxy/src/main/java/google/registry/proxy/EppProtocolModule.java
+++ b/proxy/src/main/java/google/registry/proxy/EppProtocolModule.java
@ -50,6 +50,7 @@ import javax.inject.Named;
 import javax.inject.Provider;
 import javax.inject.Qualifier;
 import javax.inject.Singleton;
+import org.joda.time.DateTime;

 /** A module that provides the {@link FrontendProtocol} used for epp protocol. */
@Module
@ -159,11 +160,19 @@ public final class EppProtocolModule {
  @Provides
  @EppProtocol
  static SslServerInitializer<NioSocketChannel> provideSslServerInitializer(
+      ProxyConfig config,
      SslProvider sslProvider,
      Supplier<PrivateKey> privateKeySupplier,
-      Supplier<ImmutableList<X509Certificate>> certificatesSupplier) {
+      Supplier<ImmutableList<X509Certificate>> certificatesSupplier,
+      Clock clock) {
    return new SslServerInitializer<>(
-        true, false, sslProvider, privateKeySupplier, certificatesSupplier);
+        true,
+        false,
+        sslProvider,
+        privateKeySupplier,
+        certificatesSupplier,
+        DateTime.parse(config.tlsEnforcementStartTime),
+        clock);
  }

  @Provides
--- a/proxy/src/main/java/google/registry/proxy/ProxyConfig.java
+++ b/proxy/src/main/java/google/registry/proxy/ProxyConfig.java
@ -48,6 +48,7 @@ public class ProxyConfig {
  public WebWhois webWhois;
  public HttpsRelay httpsRelay;
  public Metrics metrics;
+  public String tlsEnforcementStartTime;

  /** Configuration options that apply to GCS. */
  public static class Gcs {
--- a/proxy/src/main/java/google/registry/proxy/WebWhoisProtocolsModule.java
+++ b/proxy/src/main/java/google/registry/proxy/WebWhoisProtocolsModule.java
@ -21,6 +21,8 @@ import dagger.multibindings.IntoSet;
 import google.registry.networking.handler.SslServerInitializer;
 import google.registry.proxy.Protocol.FrontendProtocol;
 import google.registry.proxy.handler.WebWhoisRedirectHandler;
+import google.registry.util.Clock;
+import google.registry.util.DateTimeUtils;
 import io.netty.channel.ChannelHandler;
 import io.netty.channel.socket.nio.NioSocketChannel;
 import io.netty.handler.codec.http.HttpServerCodec;
@ -133,8 +135,15 @@ public final class WebWhoisProtocolsModule {
  static SslServerInitializer<NioSocketChannel> provideSslServerInitializer(
      SslProvider sslProvider,
      Supplier<PrivateKey> privateKeySupplier,
-      Supplier<ImmutableList<X509Certificate>> certificatesSupplier) {
+      Supplier<ImmutableList<X509Certificate>> certificatesSupplier,
+      Clock clock) {
    return new SslServerInitializer<>(
-        false, false, sslProvider, privateKeySupplier, certificatesSupplier);
+        false,
+        false,
+        sslProvider,
+        privateKeySupplier,
+        certificatesSupplier,
+        DateTimeUtils.END_OF_TIME,
+        clock);
  }
 }
--- a/proxy/src/main/java/google/registry/proxy/config/default-config.yaml
+++ b/proxy/src/main/java/google/registry/proxy/config/default-config.yaml
@ -8,6 +8,9 @@
 # GCP project ID
 projectId: your-gcp-project-id

+# Time to begin enforcement of TLS versions and cipher suites.
+tlsEnforcementStartTime: "2021-04-01T16:00:00Z"
+
 # OAuth scope that the GoogleCredential will be constructed with. This list
 # should include all service scopes that the proxy depends on.
 gcpScopes:
--- a/proxy/src/main/java/google/registry/proxy/config/proxy-config-alpha.yaml
+++ b/proxy/src/main/java/google/registry/proxy/config/proxy-config-alpha.yaml
@ -1 +1,4 @@
 # Add environment-specific proxy configuration here.
+
+# Time to begin enforcement of TLS versions and cipher suites.
+tlsEnforcementStartTime: "1970-01-01T00:00:00Z"
--- a/proxy/src/main/java/google/registry/proxy/config/proxy-config-crash-canary.yaml
+++ b/proxy/src/main/java/google/registry/proxy/config/proxy-config-crash-canary.yaml
@ -1 +1,4 @@
 # Add environment-specific proxy configuration here.
+
+# Time to begin enforcement of TLS versions and cipher suites.
+tlsEnforcementStartTime: "1970-01-01T00:00:00Z"
--- a/proxy/src/main/java/google/registry/proxy/config/proxy-config-crash.yaml
+++ b/proxy/src/main/java/google/registry/proxy/config/proxy-config-crash.yaml
@ -1 +1,4 @@
 # Add environment-specific proxy configuration here.
+
+# Time to begin enforcement of TLS versions and cipher suites.
+tlsEnforcementStartTime: "1970-01-01T00:00:00Z"
--- a/proxy/src/main/java/google/registry/proxy/config/proxy-config-local.yaml
+++ b/proxy/src/main/java/google/registry/proxy/config/proxy-config-local.yaml
@ -1 +1,4 @@
 # Add environment-specific proxy configuration here.
+
+# Time to begin enforcement of TLS versions and cipher suites.
+tlsEnforcementStartTime: "1970-01-01T00:00:00Z"
--- a/proxy/src/main/java/google/registry/proxy/config/proxy-config-sandbox-canary.yaml
+++ b/proxy/src/main/java/google/registry/proxy/config/proxy-config-sandbox-canary.yaml
@ -1 +1,4 @@
 # Add environment-specific proxy configuration here.
+
+# Time to begin enforcement of TLS versions and cipher suites.
+tlsEnforcementStartTime: "1970-01-01T00:00:00Z"
--- a/proxy/src/main/java/google/registry/proxy/config/proxy-config-sandbox.yaml
+++ b/proxy/src/main/java/google/registry/proxy/config/proxy-config-sandbox.yaml
@ -1 +1,4 @@
 # Add environment-specific proxy configuration here.
+
+# Time to begin enforcement of TLS versions and cipher suites.
+tlsEnforcementStartTime: "1970-01-01T00:00:00Z"