From da3c891203d037250517fc42a7bbc7d5a8a637e9 Mon Sep 17 00:00:00 2001 From: Derek Collison Date: Thu, 21 Jun 2018 18:46:25 -0700 Subject: [PATCH] Build requires 1.9+. Update to ciphers for 1.8+ by default, remove 1.5 version Signed-off-by: Derek Collison --- README.md | 13 +-- .../{ciphersuites_1.8.go => ciphersuites.go} | 2 - server/ciphersuites_1.5.go | 84 ------------------- 3 files changed, 7 insertions(+), 92 deletions(-) rename server/{ciphersuites_1.8.go => ciphersuites.go} (99%) delete mode 100644 server/ciphersuites_1.5.go diff --git a/README.md b/README.md index 11bc1fde..bfdba68d 100644 --- a/README.md +++ b/README.md @@ -37,9 +37,9 @@ You can connect to a public NATS server that is running at our demo site: [nats: You can build the latest version of the server from the `master` branch. The master branch generally should build and pass tests, but may not work correctly in your environment. Note that stable branches of operating system packagers provided by your OS vendor may not be sufficient. -You need [*Go*](http://golang.org/) version 1.5+ [installed](https://golang.org/doc/install) to build the NATS server. We support vendored dependencies, which are fully supported in Go 1.6. For Go 1.5, build with `GO15VENDOREXPERIMENT=1`. +You need [*Go*](http://golang.org/) version 1.9+ [installed](https://golang.org/doc/install) to build the NATS server. We support vendored dependencies. -- Run `go version` to verify that you are running Go 1.5+. (Run `go help` for more guidance.) +- Run `go version` to verify that you are running Go 1.9+. (Run `go help` for more guidance.) - Clone the repository. - Run `go build` inside the `/nats-io/gnatsd` directory. A successful build produces no messages and creates the server executable `gnatsd` in the directory. - Run `go test ./...` to run the unit regression tests. @@ -618,14 +618,14 @@ Important to note, NATS Authorizations are whitelist only, meaning in order to n ### TLS -As of Release 0.7.0, the server can use modern TLS semantics for client connections, route connections, and the HTTPS monitoring port. -The server requires TLS version 1.2, and sets preferences for modern cipher suites that avoid those known with vulnerabilities. The -server's preferences when building with Go1.5 are as follows. +The server can use modern TLS semantics for client connections, route connections, and the HTTPS monitoring port. +The server requires TLS version 1.2, and sets preferences for modern cipher suites that avoid known vulnerabilities. ```go func defaultCipherSuites() []uint16 { return []uint16{ - // The SHA384 versions are only in Go1.5+ + tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, + tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, @@ -640,6 +640,7 @@ func defaultCurvePreferences() []tls.CurveID { return []tls.CurveID{ tls.CurveP521, tls.CurveP384, + tls.X25519, // faster than P256, arguably more secure tls.CurveP256, } } diff --git a/server/ciphersuites_1.8.go b/server/ciphersuites.go similarity index 99% rename from server/ciphersuites_1.8.go rename to server/ciphersuites.go index ae84058c..cbc5a2ff 100644 --- a/server/ciphersuites_1.8.go +++ b/server/ciphersuites.go @@ -11,8 +11,6 @@ // See the License for the specific language governing permissions and // limitations under the License. -// +build go1.8 - package server import ( diff --git a/server/ciphersuites_1.5.go b/server/ciphersuites_1.5.go deleted file mode 100644 index 7eca01c6..00000000 --- a/server/ciphersuites_1.5.go +++ /dev/null @@ -1,84 +0,0 @@ -// Copyright 2016-2018 The NATS Authors -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -// +build go1.5,!go1.8 - -package server - -import ( - "crypto/tls" -) - -// Where we maintain all of the available ciphers -var cipherMap = map[string]uint16{ - "TLS_RSA_WITH_RC4_128_SHA": tls.TLS_RSA_WITH_RC4_128_SHA, - "TLS_RSA_WITH_3DES_EDE_CBC_SHA": tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA, - "TLS_RSA_WITH_AES_128_CBC_SHA": tls.TLS_RSA_WITH_AES_128_CBC_SHA, - "TLS_RSA_WITH_AES_256_CBC_SHA": tls.TLS_RSA_WITH_AES_256_CBC_SHA, - "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA": tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, - "TLS_ECDHE_RSA_WITH_RC4_128_SHA": tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA, - "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, -} - -var cipherMapByID = map[uint16]string{ - tls.TLS_RSA_WITH_RC4_128_SHA: "TLS_RSA_WITH_RC4_128_SHA", - tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA: "TLS_RSA_WITH_3DES_EDE_CBC_SHA", - tls.TLS_RSA_WITH_AES_128_CBC_SHA: "TLS_RSA_WITH_AES_128_CBC_SHA", - tls.TLS_RSA_WITH_AES_256_CBC_SHA: "TLS_RSA_WITH_AES_256_CBC_SHA", - tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA: "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", - tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", - tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", - tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA: "TLS_ECDHE_RSA_WITH_RC4_128_SHA", - tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA: "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", - tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", - tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", - tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", - tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", -} - -func defaultCipherSuites() []uint16 { - return []uint16{ - // The SHA384 versions are only in Go1.5 and beyond - tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - } -} - -// Where we maintain available curve preferences -var curvePreferenceMap = map[string]tls.CurveID{ - "CurveP256": tls.CurveP256, - "CurveP384": tls.CurveP384, - "CurveP521": tls.CurveP521, -} - -// reorder to default to the highest level of security. See: -// https://blog.bracebin.com/achieving-perfect-ssl-labs-score-with-go -func defaultCurvePreferences() []tls.CurveID { - return []tls.CurveID{ - tls.CurveP521, - tls.CurveP384, - tls.CurveP256, - } -}