Add configuration to set minimum TLS version accepted by the metrics server port. (oliver006#666)

Author: bjosv

README.md

@@ -169,6 +169,7 @@ Prometheus uses file watches and all changes to the json file are applied immedi
 | tls-server-key-file     | REDIS_EXPORTER_TLS_SERVER_KEY_FILE     | Name of the server key file (including full path) if the web interface and telemetry should use TLS                                                                                                                                                                                                                                                                                                                                                                                                                                               |
 | tls-server-cert-file    | REDIS_EXPORTER_TLS_SERVER_CERT_FILE    | Name of the server certificate file (including full path) if the web interface and telemetry should use TLS                                                                                                                                                                                                                                                                                                                                                                                                                                       |
 | tls-server-ca-cert-file | REDIS_EXPORTER_TLS_SERVER_CA_CERT_FILE | Name of the CA certificate file (including full path) if the web interface and telemetry should require TLS client authentication                                                                                                                                                                                                                                                                                                                                                                                                                 |
+| tls-server-min-version  | REDIS_EXPORTER_TLS_SERVER_MIN_VERSION  | Minimum TLS version that is acceptable by the web interface and telemetry when using TLS, defaults to `TLS1.2` (supports `TLS1.0`,`TLS1.1`,`TLS1.2`,`TLS1.3`).                                                                                                                                                                                                                                                                                                                                                                                    |
 | tls-ca-cert-file        | REDIS_EXPORTER_TLS_CA_CERT_FILE        | Name of the CA certificate file (including full path) if the server requires TLS client authentication                                                                                                                                                                                                                                                                                                                                                                                                                                            |
 | set-client-name         | REDIS_EXPORTER_SET_CLIENT_NAME         | Whether to set client name to redis_exporter, defaults to true.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
 | check-key-groups        | REDIS_EXPORTER_CHECK_KEY_GROUPS        | Comma separated list of [LUA regexes](https://www.lua.org/pil/20.1.html) for classifying keys into groups. The regexes are applied in specified order to individual keys, and the group name is generated by concatenating all capture groups of the first regex that matches a key. A key will be tracked under the `unclassified` group if none of the specified regexes matches it.                                                                                                                                                            |

contrib/docker-compose-for-tests.yml

@@ -15,7 +15,7 @@ services:
 
   redis7:
     image: redis:7.0
-    command: "redis-server --protected-mode no --dbfilename dump7.rdb"
+    command: "redis-server --port 6384 --protected-mode no --dbfilename dump7.rdb"
     ports:
       - "16384:6384"
 

exporter/tls.go

@@ -3,6 +3,7 @@ package exporter
 import (
 	"crypto/tls"
 	"crypto/x509"
+	"fmt"
 	"io/ioutil"
 
 	log "github.com/sirupsen/logrus"
@@ -33,15 +34,29 @@ func (e *Exporter) CreateClientTLSConfig() (*tls.Config, error) {
 	return &tlsConfig, nil
 }
 
-// CreateServerTLSConfig verifies configured files and return a prepared tls.Config
-func (e *Exporter) CreateServerTLSConfig(certFile, keyFile, caCertFile string) (*tls.Config, error) {
+var tlsVersions = map[string]uint16{
+	"TLS1.3": tls.VersionTLS13,
+	"TLS1.2": tls.VersionTLS12,
+	"TLS1.1": tls.VersionTLS11,
+	"TLS1.0": tls.VersionTLS10,
+}
+
+// CreateServerTLSConfig verifies configuration and return a prepared tls.Config
+func (e *Exporter) CreateServerTLSConfig(certFile, keyFile, caCertFile, minVersionString string) (*tls.Config, error) {
 	// Verify that the initial key pair is accepted
 	_, err := LoadKeyPair(certFile, keyFile)
 	if err != nil {
 		return nil, err
 	}
 
+	// Get minimum acceptable TLS version from the config string
+	minVersion, ok := tlsVersions[minVersionString]
+	if !ok {
+		return nil, fmt.Errorf("configured minimum TLS version unknown: '%s'", minVersionString)
+	}
+
 	tlsConfig := tls.Config{
+		MinVersion:     minVersion,
 		GetCertificate: GetServerCertificateFunc(certFile, keyFile),
 	}
 

exporter/tls_test.go

@@ -43,25 +43,29 @@ func TestCreateServerTLSConfig(t *testing.T) {
 	e := getTestExporter()
 
 	// positive tests
-	_, err := e.CreateServerTLSConfig("../contrib/tls/redis.crt", "../contrib/tls/redis.key", "")
+	_, err := e.CreateServerTLSConfig("../contrib/tls/redis.crt", "../contrib/tls/redis.key", "", "TLS1.1")
 	if err != nil {
 		t.Errorf("CreateServerTLSConfig() err: %s", err)
 	}
-	_, err = e.CreateServerTLSConfig("../contrib/tls/redis.crt", "../contrib/tls/redis.key", "../contrib/tls/ca.crt")
+	_, err = e.CreateServerTLSConfig("../contrib/tls/redis.crt", "../contrib/tls/redis.key", "../contrib/tls/ca.crt", "TLS1.0")
 	if err != nil {
 		t.Errorf("CreateServerTLSConfig() err: %s", err)
 	}
 
 	// negative tests
-	_, err = e.CreateServerTLSConfig("/nonexisting/file", "/nonexisting/file", "")
+	_, err = e.CreateServerTLSConfig("/nonexisting/file", "/nonexisting/file", "", "TLS1.1")
 	if err == nil {
 		t.Errorf("Expected CreateServerTLSConfig() to fail")
 	}
-	_, err = e.CreateServerTLSConfig("/nonexisting/file", "/nonexisting/file", "/nonexisting/file")
+	_, err = e.CreateServerTLSConfig("/nonexisting/file", "/nonexisting/file", "/nonexisting/file", "TLS1.2")
 	if err == nil {
 		t.Errorf("Expected CreateServerTLSConfig() to fail")
 	}
-	_, err = e.CreateServerTLSConfig("../contrib/tls/redis.crt", "../contrib/tls/redis.key", "/nonexisting/file")
+	_, err = e.CreateServerTLSConfig("../contrib/tls/redis.crt", "../contrib/tls/redis.key", "/nonexisting/file", "TLS1.3")
+	if err == nil {
+		t.Errorf("Expected CreateServerTLSConfig() to fail")
+	}
+	_, err = e.CreateServerTLSConfig("../contrib/tls/redis.crt", "../contrib/tls/redis.key", "../contrib/tls/ca.crt", "TLSX")
 	if err == nil {
 		t.Errorf("Expected CreateServerTLSConfig() to fail")
 	}

main.go

@@ -77,6 +77,7 @@ func main() {
 		tlsServerKeyFile     = flag.String("tls-server-key-file", getEnv("REDIS_EXPORTER_TLS_SERVER_KEY_FILE", ""), "Name of the server key file (including full path) if the web interface and telemetry should use TLS")
 		tlsServerCertFile    = flag.String("tls-server-cert-file", getEnv("REDIS_EXPORTER_TLS_SERVER_CERT_FILE", ""), "Name of the server certificate file (including full path) if the web interface and telemetry should use TLS")
 		tlsServerCaCertFile  = flag.String("tls-server-ca-cert-file", getEnv("REDIS_EXPORTER_TLS_SERVER_CA_CERT_FILE", ""), "Name of the CA certificate file (including full path) if the web interface and telemetry should require TLS client authentication")
+		tlsServerMinVersion  = flag.String("tls-server-min-version", getEnv("REDIS_EXPORTER_TLS_SERVER_MIN_VERSION", "TLS1.2"), "Minimum TLS version that is acceptable by the web interface and telemetry when using TLS")
 		maxDistinctKeyGroups = flag.Int64("max-distinct-key-groups", getEnvInt64("REDIS_EXPORTER_MAX_DISTINCT_KEY_GROUPS", 100), "The maximum number of distinct key groups with the most memory utilization to present as distinct metrics per database, the leftover key groups will be aggregated in the 'overflow' bucket")
 		isDebug              = flag.Bool("debug", getEnvBool("REDIS_EXPORTER_DEBUG", false), "Output verbose debug information")
 		setClientName        = flag.Bool("set-client-name", getEnvBool("REDIS_EXPORTER_SET_CLIENT_NAME", true), "Whether to set client name to redis_exporter")
@@ -203,7 +204,7 @@ func main() {
 	if *tlsServerCertFile != "" && *tlsServerKeyFile != "" {
 		log.Debugf("Bind as TLS using cert %s and key %s", *tlsServerCertFile, *tlsServerKeyFile)
 
-		tlsConfig, err := exp.CreateServerTLSConfig(*tlsServerCertFile, *tlsServerKeyFile, *tlsServerCaCertFile)
+		tlsConfig, err := exp.CreateServerTLSConfig(*tlsServerCertFile, *tlsServerKeyFile, *tlsServerCaCertFile, *tlsServerMinVersion)
 		if err != nil {
 			log.Fatal(err)
 		}