fix: restrict the tls cipher (#6)

Signed-off-by: Jack Yu <[email protected]>
harvester · Jan 18, 2024 · 8043200 · 8043200
1 parent a15c5da
commit 8043200
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/pkg/server/server.go b/pkg/server/server.go
@@ -2,6 +2,7 @@ package server
 
 import (
 	"context"
+	"crypto/tls"
 	"fmt"
 	"net/http"
 	"time"
@@ -31,6 +32,13 @@ var (
 	failPolicyFail      = v1.Fail
 	failPolicyIgnore    = v1.Ignore
 	sideEffectClassNone = v1.SideEffectClassNone
+	whiteListedCiphers  = []uint16{tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+		tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+	}
 )
 
 type server struct {
@@ -145,6 +153,10 @@ func (s *WebhookServer) listenAndServe(clients *clients.Clients, handler http.Ha
 				tlsName,
 			},
 			FilterCN: dynamiclistener.OnlyAllow(tlsName),
+			TLSConfig: &tls.Config{
+				MinVersion:   tls.VersionTLS12,
+				CipherSuites: whiteListedCiphers,
+			},
 		},
 	})
 }