diff options
| author | uzhas <uzhas@ydb.tech> | 2023-10-31 19:17:53 +0300 |
|---|---|---|
| committer | uzhas <uzhas@ydb.tech> | 2023-10-31 19:39:26 +0300 |
| commit | 870a2c8622915bc8680a021d304afb6b8c2bfe25 (patch) | |
| tree | 0992e533bfb9d4019f0fd1c240f37a3c4230e598 | |
| parent | bac466e481ddc0e069ad444060c572575bb4960b (diff) | |
| download | ydb-870a2c8622915bc8680a021d304afb6b8c2bfe25.tar.gz | |
connector: use min version 1.2 for TLS
| -rw-r--r-- | ydb/library/yql/providers/generic/connector/app/server/service_connector.go | 18 |
1 files changed, 11 insertions, 7 deletions
diff --git a/ydb/library/yql/providers/generic/connector/app/server/service_connector.go b/ydb/library/yql/providers/generic/connector/app/server/service_connector.go index 991c87bebec..c991f3a1426 100644 --- a/ydb/library/yql/providers/generic/connector/app/server/service_connector.go +++ b/ydb/library/yql/providers/generic/connector/app/server/service_connector.go @@ -2,6 +2,7 @@ package server import ( "context" + "crypto/tls" "fmt" "net" @@ -231,16 +232,16 @@ func (s *serviceConnector) start() error { func makeGRPCOptions(logger log.Logger, cfg *config.TServerConfig) ([]grpc.ServerOption, error) { var ( - opts []grpc.ServerOption - tls *config.TServerTLSConfig + opts []grpc.ServerOption + tlsConfig *config.TServerTLSConfig ) // TODO: drop deprecated fields after YQ-2057 switch { case cfg.GetConnectorServer().GetTls() != nil: - tls = cfg.GetConnectorServer().GetTls() + tlsConfig = cfg.GetConnectorServer().GetTls() case cfg.GetTls() != nil: - tls = cfg.GetTls() + tlsConfig = cfg.GetTls() default: logger.Warn("server will use insecure connections") @@ -249,13 +250,16 @@ func makeGRPCOptions(logger log.Logger, cfg *config.TServerConfig) ([]grpc.Serve logger.Info("server will use TLS connections") - logger.Debug("reading key pair", log.String("cert", tls.Cert), log.String("key", tls.Key)) + logger.Debug("reading key pair", log.String("cert", tlsConfig.Cert), log.String("key", tlsConfig.Key)) - creds, err := credentials.NewServerTLSFromFile(tls.Cert, tls.Key) + cert, err := tls.LoadX509KeyPair(tlsConfig.Cert, tlsConfig.Key) if err != nil { - return nil, fmt.Errorf("new server TLS from file: %w", err) + return nil, fmt.Errorf("LoadX509KeyPair: %w", err) } + // for security reasons we do not allow TLS < 1.2, see YQ-1877 + creds := credentials.NewTLS(&tls.Config{Certificates: []tls.Certificate{cert}, MinVersion: tls.VersionTLS12}) + opts = append(opts, grpc.Creds(creds)) return opts, nil |