Birdwatcher enabling more secure TLS communication

[Yorgh]

Hello,

Thank you for the job.
We would like to be able to disable TLS v1.0 and v1.1 and maybe use stronger Ciphers than the default ones.

It does not seem to be configurable.
I am not a developer that is why I cannot affirm anything.

I think the TLS configuration for Birdwatcher is using this package: https://pkg.go.dev/crypto/tls
If it is the case, it should be possible to implement this ability.

Thanks in advance for any feedback.

[Yorgh]

Hello again,

Is there aynone interested i this as well.
If you think I can help, please, tell me how I can contribute to get this solved.

Thanks in advance

[annikahannig]

If you require additional security, I recommend binding birdwatcher to localhost and let a reverse proxy like nginx or haproxy do the TLS termination.

[annikahannig]

I can see scenarios though where integrating this would make sense.

[Yorgh]

Hello Annika,

Thank you for your feedback and sorry for the delay I took to reply to it.
We should be able to discuss on the workaround you suggested internally on Monday and will provide you with feedback then.

It is not related but I wanted to congrat you regarding your nice presentation yesterday during the Ripe83 meeting.

So, I should update it on Monday.

[Yorgh]

Hello Annika,

After having discussed internally, we think it is overkilled to use nginx to address this in our infrastructure.
I then checked a bit if I could find pieces of code to assemble, but even if I am not a bad monkey, without any go knowledge, it would take me too much time.

I let this link which might help others wanting the same feature: https://gist.github.com/denji/12b3a568f092ab951456

If someone decides to address this issue, I would be pleased to participate looking for information if needed.

[annikahannig]

if I read this correctly adding something like

    mux := http.NewServeMux()
    mux.HandleFunc("/", func(w http.ResponseWriter, req *http.Request) {
        w.Header().Add("Strict-Transport-Security", "max-age=63072000; includeSubDomains")
        w.Write([]byte("This is an example server.\n"))
    })
    cfg := &tls.Config{
        MinVersion:               tls.VersionTLS12,
        CurvePreferences:         []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
        PreferServerCipherSuites: true,
        CipherSuites: []uint16{
            tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
            tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
            tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
            tls.TLS_RSA_WITH_AES_256_CBC_SHA,
        },
    }
    srv := &http.Server{
        Addr:         ":443",
        Handler:      mux,
        TLSConfig:    cfg,
        TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler), 0),
    }
    log.Fatal(srv.ListenAndServeTLS("tls.crt", "tls.key"))

when initializing the http server

[annikahannig]

should be possible...

[Yorgh]

Dear Annika,

Thank you for this reply.
We may be able to add this portion of code but we would then have to compile it each time new TLS version or safer Ciphers are proposed.
We might consider it as a workaround but not as a solution.
According to me, we should be able to apply the wanted settings in a configuration file.
Thanks for taking care of it.