prometheus · SuperQ · May 13, 2020 · May 2, 2020 · May 4, 2020 · May 4, 2020
diff --git a/https/README.md b/https/README.md
@@ -14,18 +14,48 @@ The config file should be written in YAML format, and is reloaded on each connec
 ## Sample Config
 
 ```
-tls_config:
-  # Certificate and key files for server to use to authenticate to client
+tls_server_config:
+  # Certificate and key files for server to use to authenticate to client.
   cert_file: <filename>
   key_file: <filename>
 
-  # Server policy for client authentication. Maps to ClientAuth Policies
+  # Server policy for client authentication. Maps to ClientAuth Policies.
   # For more detail on clientAuth options: [ClientAuthType](https://golang.org/pkg/crypto/tls/#ClientAuthType)
   [ client_auth_type: <string> | default = "NoClientCert" ]
 
-  # CA certificate for client certificate authentication to the server
+  # CA certificate for client certificate authentication to the server.
   [ client_ca_file: <filename> ]
 
+  # Minimum TLS version that is acceptable.
+  [ min_version: <string> | default = "TLS12" ]
+
+  # Maximum TLS version that is acceptable.
+  [ max_version: <string> | default = "TLS13" ]
+
+  # List of supported cipher suites for TLS versions up to TLS 1.2. If empty,
+  # Go default cipher suites are used. Available cipher suites are documented
+  # in the go documentation:
+  # https://golang.org/pkg/crypto/tls/#pkg-constants
+  [ cipher_suites:
+    [ - <string> ] ]
+
+  # prefer_server_cipher_suites controls whether the server selects the
+  # client's most preferred ciphersuite, or the server's most preferred
+  # ciphersuite. If true then the server's preference, as expressed in
+  # the order of elements in cipher_suites, is used.
+  [ prefer_server_cipher_suites: <bool> | default = true ]
+
+  # Elliptic curves that will be used in an ECDHE handshake, in preference
+  # order. Available curves are documented in the go documentation:
+  # https://golang.org/pkg/crypto/tls/#CurveID
+  [ curve_preferences:
+    [ - <string> ] ]
+
+http_server_config:
+  # Enable HTTP/2 support. Note that HTTP/2 is only supported with TLS.
+  # This can not be changed on the fly.
+  [ http2: <bool> | default = true ]
+
 # List of usernames and hashed passwords that have full access to the web
 # server via basic authentication. If empty, no basic authentication is
 # required. Passwords are hashed with bcrypt.

diff --git a/https/testdata/tls_config_auth_clientCAs_invalid.bad.yml b/https/testdata/tls_config_auth_clientCAs_invalid.bad.yml
@@ -1,4 +1,4 @@
-tls_config :
+tls_server_config :
   cert_file : "testdata/server.crt"
   key_file : "testdata/server.key"
   client_ca_file : "somefile"
diff --git a/https/testdata/tls_config_auth_clientCAs_missing.bad.yml b/https/testdata/tls_config_auth_clientCAs_missing.bad.yml
@@ -1,4 +1,4 @@
-tls_config :
+tls_server_config :
   cert_file : "testdata/server.crt"
   key_file : "testdata/server.key"
   client_auth_type : "RequireAndVerifyClientCert"
diff --git a/https/testdata/tls_config_auth_user_list_invalid.bad.yml b/https/testdata/tls_config_auth_user_list_invalid.bad.yml
@@ -1,4 +1,4 @@
-tls_config :
+tls_server_config :
   cert_file : "testdata/server.crt"
   key_file : "testdata/server.key"
 basic_auth_users:

diff --git a/https/testdata/tls_config_junk_key.yml b/https/testdata/tls_config_junk_key.yml
@@ -1,2 +1,2 @@
-tls_config :
+tls_server_config :
   cert_filse: "testdata/server.crt"
diff --git a/https/testdata/tls_config_noAuth.bad.yml b/https/testdata/tls_config_noAuth.bad.yml
@@ -1,4 +1,4 @@
-tls_config :
+tls_server_config :
   cert_file : "testdata/server.crt"
   key_file : "testdata/server.key"
   client_ca_file : "testdata/tls-ca-chain.pem" 
diff --git a/https/testdata/tls_config_noAuth.good.blocking.yml b/https/testdata/tls_config_noAuth.good.blocking.yml
@@ -1,4 +1,4 @@
-tls_config :
+tls_server_config :
   cert_file : "testdata/server.crt"
   key_file : "testdata/server.key"
   client_auth_type : "RequireAndVerifyClientCert"

diff --git a/https/testdata/tls_config_noAuth.good.yml b/https/testdata/tls_config_noAuth.good.yml
@@ -1,4 +1,4 @@
-tls_config :
+tls_server_config :
   cert_file : "testdata/server.crt"
   key_file : "testdata/server.key"
   client_auth_type : "VerifyClientCertIfGiven"

diff --git a/https/testdata/tls_config_noAuth_allCiphers.good.yml b/https/testdata/tls_config_noAuth_allCiphers.good.yml
@@ -0,0 +1,26 @@
+tls_server_config :
+  cert_file : "testdata/server.crt"
+  key_file : "testdata/server.key"
+  client_auth_type : "VerifyClientCertIfGiven"
+  client_ca_file : "testdata/tls-ca-chain.pem"
+  cipher_suites:
+  - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+  - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+  - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+  - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+  - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+  - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+  - TLS_AES_128_GCM_SHA256
+  - TLS_AES_256_GCM_SHA384
+  - TLS_CHACHA20_POLY1305_SHA256
+  - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
+  - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
+  - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
+  - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
+  - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
+  - TLS_RSA_WITH_3DES_EDE_CBC_SHA
+  - TLS_RSA_WITH_AES_128_CBC_SHA
+  - TLS_RSA_WITH_AES_256_CBC_SHA
+  - TLS_RSA_WITH_AES_128_GCM_SHA256
+  - TLS_RSA_WITH_AES_256_GCM_SHA384
+
diff --git a/https/testdata/tls_config_noAuth_allCurves.good.yml b/https/testdata/tls_config_noAuth_allCurves.good.yml
@@ -0,0 +1,10 @@
+tls_server_config :
+  cert_file : "testdata/server.crt"
+  key_file : "testdata/server.key"
+  client_auth_type : "VerifyClientCertIfGiven"
+  client_ca_file : "testdata/tls-ca-chain.pem"
+  curve_preferences:
+    - CurveP256
+    - CurveP384
+    - CurveP521
+    - X25519
diff --git a/https/testdata/tls_config_noAuth_certPath_empty.bad.yml b/https/testdata/tls_config_noAuth_certPath_empty.bad.yml
@@ -1,3 +1,3 @@
-tls_config :
+tls_server_config :
   cert_file : ""
   key_file : "testdata/server.key"
diff --git a/https/testdata/tls_config_noAuth_certPath_invalid.bad.yml b/https/testdata/tls_config_noAuth_certPath_invalid.bad.yml
@@ -1,3 +1,3 @@
-tls_config :
+tls_server_config :
   cert_file : "somefile"
   key_file : "testdata/server.key"
diff --git a/https/testdata/tls_config_noAuth_certPath_keyPath_empty.bad.yml b/https/testdata/tls_config_noAuth_certPath_keyPath_empty.bad.yml
@@ -1,4 +1,4 @@
-tls_config :
+tls_server_config :
   cert_file : ""
   key_file : ""
   client_auth_type: "x"
diff --git a/https/testdata/tls_config_noAuth_certPath_keyPath_invalid.bad.yml b/https/testdata/tls_config_noAuth_certPath_keyPath_invalid.bad.yml
@@ -1,3 +1,3 @@
-tls_config :
+tls_server_config :
   cert_file : "somefile"
   key_file : "somefile"
diff --git a/https/testdata/tls_config_noAuth_inventedCiphers.bad.yml b/https/testdata/tls_config_noAuth_inventedCiphers.bad.yml
@@ -0,0 +1,8 @@
+tls_server_config :
+  cert_file : "testdata/server.crt"
+  key_file : "testdata/server.key"
+  client_auth_type : "VerifyClientCertIfGiven"
+  client_ca_file : "testdata/tls-ca-chain.pem"
+  cipher_suites:
+  - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA2048
+
diff --git a/https/testdata/tls_config_noAuth_inventedCurves.bad.yml b/https/testdata/tls_config_noAuth_inventedCurves.bad.yml
@@ -0,0 +1,7 @@
+tls_server_config :
+  cert_file : "testdata/server.crt"
+  key_file : "testdata/server.key"
+  client_auth_type : "VerifyClientCertIfGiven"
+  client_ca_file : "testdata/tls-ca-chain.pem"
+  curve_preferences:
+    - CurveP257
diff --git a/https/testdata/tls_config_noAuth_keyPath_empty.bad.yml b/https/testdata/tls_config_noAuth_keyPath_empty.bad.yml
@@ -1,3 +1,3 @@
-tls_config :
+tls_server_config :
   cert_file : "testdata/server.crt"
   key_file : ""
diff --git a/https/testdata/tls_config_noAuth_keyPath_invalid.bad.yml b/https/testdata/tls_config_noAuth_keyPath_invalid.bad.yml
@@ -1,3 +1,3 @@
-tls_config :
+tls_server_config :
   cert_file : "testdata/server.cert"
   key_file : "somefile"
diff --git a/https/testdata/tls_config_noAuth_noHTTP2.good.yml b/https/testdata/tls_config_noAuth_noHTTP2.good.yml
@@ -0,0 +1,10 @@
+tls_server_config :
+  cert_file : "testdata/server.crt"
+  key_file : "testdata/server.key"
+  client_auth_type : "VerifyClientCertIfGiven"
+  client_ca_file : "testdata/tls-ca-chain.pem"
+  cipher_suites:
+    - TLS_RSA_WITH_AES_128_CBC_SHA
+  max_version: TLS12
+http_server_config:
+  http2: false
diff --git a/https/testdata/tls_config_noAuth_noHTTP2Cipher.bad.yml b/https/testdata/tls_config_noAuth_noHTTP2Cipher.bad.yml
@@ -0,0 +1,8 @@
+tls_server_config :
+  cert_file : "testdata/server.crt"
+  key_file : "testdata/server.key"
+  client_auth_type : "VerifyClientCertIfGiven"
+  client_ca_file : "testdata/tls-ca-chain.pem"
+  cipher_suites:
+    - TLS_RSA_WITH_AES_128_CBC_SHA
+  max_version: TLS12
diff --git a/https/testdata/tls_config_noAuth_someCiphers.good.yml b/https/testdata/tls_config_noAuth_someCiphers.good.yml
@@ -0,0 +1,10 @@
+tls_server_config :
+  cert_file : "testdata/server.crt"
+  key_file : "testdata/server.key"
+  client_auth_type : "VerifyClientCertIfGiven"
+  client_ca_file : "testdata/tls-ca-chain.pem"
+  cipher_suites:
+  - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+  - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+  min_version: TLS12
+  max_version: TLS12
diff --git a/https/testdata/tls_config_noAuth_someCiphers_noOrder.good.yml b/https/testdata/tls_config_noAuth_someCiphers_noOrder.good.yml
@@ -0,0 +1,11 @@
+tls_server_config :
+  cert_file : "testdata/server.crt"
+  key_file : "testdata/server.key"
+  client_auth_type : "VerifyClientCertIfGiven"
+  client_ca_file : "testdata/tls-ca-chain.pem"
+  cipher_suites:
+  - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+  - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+  prefer_server_cipher_suites: false
+  min_version: TLS12
+  max_version: TLS12
diff --git a/https/testdata/tls_config_noAuth_someCurves.good.yml b/https/testdata/tls_config_noAuth_someCurves.good.yml
@@ -0,0 +1,8 @@
+tls_server_config :
+  cert_file : "testdata/server.crt"
+  key_file : "testdata/server.key"
+  client_auth_type : "VerifyClientCertIfGiven"
+  client_ca_file : "testdata/tls-ca-chain.pem"
+  min_version: TLS13
+  curve_preferences:
+  - CurveP521
diff --git a/https/testdata/tls_config_noAuth_wrongTLSVersion.bad.yml b/https/testdata/tls_config_noAuth_wrongTLSVersion.bad.yml
@@ -0,0 +1,6 @@
+tls_server_config :
+  cert_file : "testdata/server.crt"
+  key_file : "testdata/server.key"
+  client_auth_type : "VerifyClientCertIfGiven"
+  client_ca_file : "testdata/tls-ca-chain.pem"
+  min_version: TLS111
diff --git a/https/testdata/tls_config_users.good.yml b/https/testdata/tls_config_users.good.yml
@@ -1,4 +1,4 @@
-tls_config :
+tls_server_config :
   cert_file : "testdata/server.crt"
   key_file : "testdata/server.key"
 basic_auth_users: