From 8cf90948714909f3239de0e12165b3624384103f Mon Sep 17 00:00:00 2001 From: Tuomo Tanskanen Date: Tue, 31 Oct 2023 16:55:06 +0200 Subject: [PATCH] bug: return initialConfig instead of empty tlsConfig When TLS certificate reloading functionality was implemented and released in Dex 2.37.0, added newTLSReloader() returns empty tlsConfig and discards the provided, already configured tlsConfig. Server's with empty tlsConfig override Go's sensible defaults, and starts serving Dex over TLS 1.0 and TLS 1.1 in addition to Go's defaults TLS 1.2+. TLS 1.0 and 1.1 are long deprecated and vulnerable, making this a security risk. Server and its secrets are vulnerable to attackers. --- cmd/dex/serve.go | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/cmd/dex/serve.go b/cmd/dex/serve.go index 38395fc6..54767494 100644 --- a/cmd/dex/serve.go +++ b/cmd/dex/serve.go @@ -647,17 +647,16 @@ func newTLSReloader(logger log.Logger, certFile, keyFile, caFile string, baseCon } }() - conf := &tls.Config{} // https://pkg.go.dev/crypto/tls#baseConfig // Server configurations must set one of Certificates, GetCertificate or GetConfigForClient. if caFile != "" { // grpc will use this via tls.Server for mTLS - conf.GetConfigForClient = func(chi *tls.ClientHelloInfo) (*tls.Config, error) { return ptr.Load(), nil } + initialConfig.GetConfigForClient = func(chi *tls.ClientHelloInfo) (*tls.Config, error) { return ptr.Load(), nil } } else { // net/http only uses Certificates or GetCertificate - conf.GetCertificate = func(chi *tls.ClientHelloInfo) (*tls.Certificate, error) { return &ptr.Load().Certificates[0], nil } + initialConfig.GetCertificate = func(chi *tls.ClientHelloInfo) (*tls.Certificate, error) { return &ptr.Load().Certificates[0], nil } } - return conf, nil + return initialConfig, nil } // loadTLSConfig loads the given file paths into a [tls.Config]