Rest-server: how to disable TLS < 1.2?

Framsfex · December 3, 2024, 10:39am

I am running:
rest-server version rest-server 0.13.0 compiled with go1.22.5 on linux/amd64

My CERT finds the fault the server is accepting TLS 1.0 and 1.1 and also the ciphers
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA and TLS_RSA_WITH_3DES_EDE_CBC_SHA
which are not allowed any more at our site.

How can I disable them?

rest-server should only offer TLS 1.2 and 1.3

nicnab · December 5, 2024, 9:50am

Hmm. I guess that means “no”

MichaelEischer · December 8, 2024, 5:31pm

There’s no option exposed by the rest-server to influence the TLS ciphers.

What’s weird is that go1.22 should by default already disable TLS before 1.2:

github.com

golang/go/blob/8e1fdea8316d840fd07e9d6e026048e53290948b/src/crypto/tls/common.go#L740


      
          	//
          	// Warning: the return value will be exposed on the wire and to clients in
          	// plaintext. The application is in charge of encrypting and authenticating
          	// it (and rotating keys) or returning high-entropy identifiers. Failing to
          	// do so correctly can compromise current, previous, and future connections
          	// depending on the protocol version.
          	WrapSession func(ConnectionState, *SessionState) ([]byte, error)
          
          	// MinVersion contains the minimum TLS version that is acceptable.
          	//
          	// By default, TLS 1.2 is currently used as the minimum. TLS 1.0 is the
          	// minimum supported by this package.
          	//
          	// The server-side default can be reverted to TLS 1.0 by including the value
          	// "tls10server=1" in the GODEBUG environment variable.
          	MinVersion uint16
          
          	// MaxVersion contains the maximum TLS version that is acceptable.
          	//
          	// By default, the maximum version supported by this package is used,
          	// which is currently TLS 1.3.

But I just gave it a try using testssl.sh and apparently TLS 1.0 is still offered.

The 3DES ciphers should be disable with go 1.23 (see crypto/tls in the release notes ), but that yields the same unexpected behavior. Based on a quick glance at the rest-server code, I don’t see why that is happening.I guess I’ll need to have a closer look.

MichaelEischer · December 8, 2024, 6:52pm

Ah, setting the environment variable GODEBUG=tls10server=0,tls3des=0 does the trick. tls3des only works when rest-server is compiled with go 1.23.

rest-server still has go 1.18 in its go.mod file. This lets the GODEBUG options match the behavior of that go version. That is, both TLS options are by default enabled.

Framsfex · December 9, 2024, 10:36am

Ok, I have set export GODEBUG='tls10server=0,tls3des=0' and restarted rest-server:

root@obertux:~# testssl rs1.tik.uni-stuttgart.de:8008 | grep offered
 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      not offered
 TLS 1.1    not offered
 TLS 1.2    offered (OK)
 TLS 1.3    offered (OK): final
 NPN/SPDY   not offered
 ALPN/HTTP2 h2, http/1.1 (offered)
 NULL ciphers (no encryption)                  not offered (OK)
 Anonymous NULL Ciphers (no authentication)    not offered (OK)
 Export ciphers (w/o ADH+NULL)                 not offered (OK)
 LOW: 64 Bit + DES, RC[2,4] (w/o export)       not offered (OK)
 Triple DES Ciphers / IDEA                     offered
 Obsolete CBC ciphers (AES, ARIA etc.)         offered
 Strong encryption (AEAD ciphers)              offered (OK)
 PFS is offered (OK)          TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA
 Elliptic curves offered:     prime256v1 secp384r1 secp521r1 X25519
 OCSP stapling                not offered
 DNS CAA RR (experimental)    not offered
 Strict Transport Security    not offered
 TLS_FALLBACK_SCSV (RFC 7507)              No fallback possible (OK), no protocol below TLS 1.2 offered

but DES ciphers are still offered.

noeck · December 9, 2024, 10:41am

So it’s kind of expected that DES is still offered, isn’t it? Or did you recompile with a newer Go version?

kapitainsky · December 9, 2024, 11:37am

I think you have to rebuilt server with go 1.23

Framsfex · December 9, 2024, 11:55am

I have from Release v0.13.0 · restic/rest-server · GitHub

root@rs1:~# /opt/rest-server/rest-server --version
rest-server version rest-server 0.13.0 compiled with go1.22.5 on linux/amd64

kapitainsky · December 9, 2024, 12:15pm

It is go 1.22… you have.

Build it yourself using the latest go.