fix(tls): use Go TLS defaults (#8227)

Remove fixed TLS 1.2 cipher suite list and maximum TLS version so
crypto/tls can use its maintained defaults. Keep TLS 1.2 as the
minimum supported version.

Document the shared TLS default behavior for plugins that expose TLS
configuration and add coverage to ensure CoreDNS leaves Go-managed
TLS fields unset.

Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
This commit is contained in:
Ville Vesilehto
2026-07-05 02:03:02 +03:00
committed by GitHub
parent 679f764ae1
commit bc4343b083
6 changed files with 44 additions and 16 deletions

View File

@@ -13,15 +13,6 @@ import (
func setTLSDefaults(ctls *tls.Config) {
ctls.MinVersion = tls.VersionTLS12
ctls.MaxVersion = tls.VersionTLS13
ctls.CipherSuites = []uint16{
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
}
}
// NewTLSConfigFromArgs returns a TLS config based upon the passed
@@ -102,7 +93,7 @@ func NewTLSConfig(certPath, keyPath, caPath string) (*tls.Config, error) {
return nil, err
}
// #nosec G402 -- MinVersion and MaxVersion are set in setTLSDefaults
// #nosec G402 -- MinVersion is set in setTLSDefaults
tlsConfig := &tls.Config{
Certificates: []tls.Certificate{cert},
RootCAs: roots,
@@ -120,7 +111,7 @@ func NewTLSClientConfig(caPath string) (*tls.Config, error) {
return nil, err
}
// #nosec G402 -- MinVersion and MaxVersion are set in setTLSDefaults
// #nosec G402 -- MinVersion is set in setTLSDefaults
tlsConfig := &tls.Config{
RootCAs: roots,
}

View File

@@ -1,6 +1,7 @@
package tls
import (
"crypto/tls"
"path/filepath"
"testing"
@@ -21,35 +22,55 @@ func getPEMFiles(t *testing.T) (cert, key, ca string) {
return
}
func assertTLSDefaults(t *testing.T, c *tls.Config) {
t.Helper()
if c.MinVersion != tls.VersionTLS12 {
t.Errorf("MinVersion = %d, want %d", c.MinVersion, tls.VersionTLS12)
}
if c.MaxVersion != 0 {
t.Errorf("MaxVersion = %d, want 0 to use Go defaults", c.MaxVersion)
}
if c.CipherSuites != nil {
t.Errorf("CipherSuites = %v, want nil to use Go defaults", c.CipherSuites)
}
if c.CurvePreferences != nil {
t.Errorf("CurvePreferences = %v, want nil to use Go defaults", c.CurvePreferences)
}
}
func TestNewTLSConfig(t *testing.T) {
cert, key, ca := getPEMFiles(t)
_, err := NewTLSConfig(cert, key, ca)
c, err := NewTLSConfig(cert, key, ca)
if err != nil {
t.Errorf("Failed to create TLSConfig: %s", err)
}
assertTLSDefaults(t, c)
}
func TestNewTLSClientConfig(t *testing.T) {
_, _, ca := getPEMFiles(t)
_, err := NewTLSClientConfig(ca)
c, err := NewTLSClientConfig(ca)
if err != nil {
t.Errorf("Failed to create TLSConfig: %s", err)
}
assertTLSDefaults(t, c)
}
func TestNewTLSConfigFromArgs(t *testing.T) {
cert, key, ca := getPEMFiles(t)
_, err := NewTLSConfigFromArgs()
c, err := NewTLSConfigFromArgs()
if err != nil {
t.Errorf("Failed to create TLSConfig: %s", err)
}
assertTLSDefaults(t, c)
c, err := NewTLSConfigFromArgs(ca)
c, err = NewTLSConfigFromArgs(ca)
if err != nil {
t.Errorf("Failed to create TLSConfig: %s", err)
}
assertTLSDefaults(t, c)
if c.RootCAs == nil {
t.Error("RootCAs should not be nil when one arg passed")
}
@@ -58,6 +79,7 @@ func TestNewTLSConfigFromArgs(t *testing.T) {
if err != nil {
t.Errorf("Failed to create TLSConfig: %s", err)
}
assertTLSDefaults(t, c)
if c.RootCAs != nil {
t.Error("RootCAs should be nil when two args passed")
}
@@ -69,6 +91,7 @@ func TestNewTLSConfigFromArgs(t *testing.T) {
if err != nil {
t.Errorf("Failed to create TLSConfig: %s", err)
}
assertTLSDefaults(t, c)
if c.RootCAs == nil {
t.Error("RootCAs should not be nil when three args passed")
}
@@ -92,6 +115,7 @@ func TestNewTLSConfigFromArgsWithRoot(t *testing.T) {
if err != nil {
t.Errorf("Failed to create TLSConfig: %s", err)
}
assertTLSDefaults(t, c)
if c.RootCAs == nil {
t.Error("RootCAs should not be nil when three args passed")
}