From 862772230c8e90a57fd739e0d5bf5c77890d6673 Mon Sep 17 00:00:00 2001 From: Ludovic Fernandez Date: Mon, 2 Mar 2020 09:30:05 +0100 Subject: [PATCH] Update to go1.14 --- .semaphoreci/golang.sh | 18 +++++----- CONTRIBUTING.md | 2 +- build.Dockerfile | 2 +- configuration/configuration.go | 6 ---- configuration/configuration_test.go | 4 +-- exp.Dockerfile | 2 +- server/server.go | 8 ++++- tls/certificate.go | 54 +++++++++++++++-------------- 8 files changed, 48 insertions(+), 48 deletions(-) diff --git a/.semaphoreci/golang.sh b/.semaphoreci/golang.sh index ec24aac57..1cd7cf9c9 100755 --- a/.semaphoreci/golang.sh +++ b/.semaphoreci/golang.sh @@ -2,19 +2,19 @@ set -e -curl -O https://dl.google.com/go/go1.12.linux-amd64.tar.gz +curl -O https://dl.google.com/go/go1.14.linux-amd64.tar.gz -tar -xvf go1.12.linux-amd64.tar.gz -rm -rf go1.12.linux-amd64.tar.gz +tar -xvf go1.14.linux-amd64.tar.gz +rm -rf go1.14.linux-amd64.tar.gz -sudo mkdir -p /usr/local/golang/1.12/go -sudo mv go /usr/local/golang/1.12/ +sudo mkdir -p /usr/local/golang/1.14/go +sudo mv go /usr/local/golang/1.14/ sudo rm /usr/local/bin/go -sudo chmod +x /usr/local/golang/1.12/go/bin/go -sudo ln -s /usr/local/golang/1.12/go/bin/go /usr/local/bin/go +sudo chmod +x /usr/local/golang/1.14/go/bin/go +sudo ln -s /usr/local/golang/1.14/go/bin/go /usr/local/bin/go -export GOROOT="/usr/local/golang/1.12/go" -export GOTOOLDIR="/usr/local/golang/1.12/go/pkg/tool/linux_amd64" +export GOROOT="/usr/local/golang/1.14/go" +export GOTOOLDIR="/usr/local/golang/1.14/go/pkg/tool/linux_amd64" go version diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 484072b57..602b5c43b 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -13,7 +13,7 @@ You need to run the `binary` target. This will create binaries for Linux platfor $ make binary docker build -t "traefik-dev:no-more-godep-ever" -f build.Dockerfile . Sending build context to Docker daemon 295.3 MB -Step 0 : FROM golang:1.12-alpine +Step 0 : FROM golang:1.14-alpine ---> 8c6473912976 Step 1 : RUN go get github.com/golang/dep/cmd/dep [...] diff --git a/build.Dockerfile b/build.Dockerfile index 51e757f52..aef4f70e9 100644 --- a/build.Dockerfile +++ b/build.Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.12-alpine +FROM golang:1.14-alpine RUN apk --update upgrade \ && apk --no-cache --no-progress add git mercurial bash gcc musl-dev curl tar ca-certificates tzdata \ diff --git a/configuration/configuration.go b/configuration/configuration.go index ede7d8f86..9040e0c7a 100644 --- a/configuration/configuration.go +++ b/configuration/configuration.go @@ -212,12 +212,6 @@ func (gc *GlobalConfiguration) SetEffectiveConfiguration(configFile string) { } } - // Thanks to SSLv3 being enabled by mistake in golang 1.12, - // If no minVersion is set, apply TLS1.0 as the minimum. - if entryPoint.TLS != nil && len(entryPoint.TLS.MinVersion) == 0 { - entryPoint.TLS.MinVersion = "VersionTLS10" - } - if entryPoint.TLS != nil && entryPoint.TLS.DefaultCertificate == nil && len(entryPoint.TLS.Certificates) > 0 { log.Infof("No tls.defaultCertificate given for %s: using the first item in tls.certificates as a fallback.", entryPointName) entryPoint.TLS.DefaultCertificate = &entryPoint.TLS.Certificates[0] diff --git a/configuration/configuration_test.go b/configuration/configuration_test.go index 152734003..6e9333984 100644 --- a/configuration/configuration_test.go +++ b/configuration/configuration_test.go @@ -312,9 +312,7 @@ func TestSetEffectiveConfigurationTLSMinVersion(t *testing.T) { expected: EntryPoint{ Address: ":443", ForwardedHeaders: &ForwardedHeaders{Insecure: true}, - TLS: &tls.TLS{ - MinVersion: "VersionTLS10", - }, + TLS: &tls.TLS{}, }, }, } diff --git a/exp.Dockerfile b/exp.Dockerfile index 3b8801cf2..b08bb5dd3 100644 --- a/exp.Dockerfile +++ b/exp.Dockerfile @@ -12,7 +12,7 @@ RUN yarn install RUN npm run build # BUILD -FROM golang:1.12-alpine as gobuild +FROM golang:1.14-alpine as gobuild RUN apk --update upgrade \ && apk --no-cache --no-progress add git mercurial bash gcc musl-dev curl tar ca-certificates tzdata \ diff --git a/server/server.go b/server/server.go index 9d73984d3..91eb330e5 100644 --- a/server/server.go +++ b/server/server.go @@ -497,6 +497,12 @@ func (s *Server) createTLSConfig(entryPointName string, tlsOption *traefiktls.TL config.Certificates = []tls.Certificate{} } + // workaround for users who used GODEBUG to activate TLS1.3 + if strings.Contains(os.Getenv("GODEBUG"), "tls13=1") { + config.MaxVersion = tls.VersionTLS13 + } + config.MaxVersion = tls.VersionTLS12 + // Set the minimum TLS version if set in the config TOML if minConst, exists := traefiktls.MinVersion[s.entryPoints[entryPointName].Configuration.TLS.MinVersion]; exists { config.PreferServerCipherSuites = true @@ -505,7 +511,7 @@ func (s *Server) createTLSConfig(entryPointName string, tlsOption *traefiktls.TL // Set the list of CipherSuites if set in the config TOML if s.entryPoints[entryPointName].Configuration.TLS.CipherSuites != nil { - // if our list of CipherSuites is defined in the entrypoint config, we can re-initilize the suites list as empty + // if our list of CipherSuites is defined in the entrypoint config, we can re-initialize the suites list as empty config.CipherSuites = make([]uint16, 0) for _, cipher := range s.entryPoints[entryPointName].Configuration.TLS.CipherSuites { if cipherConst, exists := traefiktls.CipherSuites[cipher]; exists { diff --git a/tls/certificate.go b/tls/certificate.go index e2ff35aea..bff292b9a 100644 --- a/tls/certificate.go +++ b/tls/certificate.go @@ -25,32 +25,34 @@ var ( // CipherSuites Map of TLS CipherSuites from crypto/tls // Available CipherSuites defined at https://golang.org/pkg/crypto/tls/#pkg-constants CipherSuites = map[string]uint16{ - "TLS_RSA_WITH_RC4_128_SHA": tls.TLS_RSA_WITH_RC4_128_SHA, - "TLS_RSA_WITH_3DES_EDE_CBC_SHA": tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA, - "TLS_RSA_WITH_AES_128_CBC_SHA": tls.TLS_RSA_WITH_AES_128_CBC_SHA, - "TLS_RSA_WITH_AES_256_CBC_SHA": tls.TLS_RSA_WITH_AES_256_CBC_SHA, - "TLS_RSA_WITH_AES_128_CBC_SHA256": tls.TLS_RSA_WITH_AES_128_CBC_SHA256, - "TLS_RSA_WITH_AES_128_GCM_SHA256": tls.TLS_RSA_WITH_AES_128_GCM_SHA256, - "TLS_RSA_WITH_AES_256_GCM_SHA384": tls.TLS_RSA_WITH_AES_256_GCM_SHA384, - "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA": tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, - "TLS_ECDHE_RSA_WITH_RC4_128_SHA": tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA, - "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256": tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305": tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305": tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, - "TLS_AES_128_GCM_SHA256": tls.TLS_AES_128_GCM_SHA256, - "TLS_AES_256_GCM_SHA384": tls.TLS_AES_256_GCM_SHA384, - "TLS_CHACHA20_POLY1305_SHA256": tls.TLS_CHACHA20_POLY1305_SHA256, - "TLS_FALLBACK_SCSV": tls.TLS_FALLBACK_SCSV, + "TLS_RSA_WITH_RC4_128_SHA": tls.TLS_RSA_WITH_RC4_128_SHA, + "TLS_RSA_WITH_3DES_EDE_CBC_SHA": tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA, + "TLS_RSA_WITH_AES_128_CBC_SHA": tls.TLS_RSA_WITH_AES_128_CBC_SHA, + "TLS_RSA_WITH_AES_256_CBC_SHA": tls.TLS_RSA_WITH_AES_256_CBC_SHA, + "TLS_RSA_WITH_AES_128_CBC_SHA256": tls.TLS_RSA_WITH_AES_128_CBC_SHA256, + "TLS_RSA_WITH_AES_128_GCM_SHA256": tls.TLS_RSA_WITH_AES_128_GCM_SHA256, + "TLS_RSA_WITH_AES_256_GCM_SHA384": tls.TLS_RSA_WITH_AES_256_GCM_SHA384, + "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA": tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + "TLS_ECDHE_RSA_WITH_RC4_128_SHA": tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA, + "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256": tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305": tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256": tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, + "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305": tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, + "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256": tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, + "TLS_AES_128_GCM_SHA256": tls.TLS_AES_128_GCM_SHA256, + "TLS_AES_256_GCM_SHA384": tls.TLS_AES_256_GCM_SHA384, + "TLS_CHACHA20_POLY1305_SHA256": tls.TLS_CHACHA20_POLY1305_SHA256, + "TLS_FALLBACK_SCSV": tls.TLS_FALLBACK_SCSV, } )