From c1599feb236a902d2582ddea57d5d3f0cf9ba4ea Mon Sep 17 00:00:00 2001
From: Antoine Toulme <antoine@toulme.name>
Date: Wed, 17 Jan 2024 15:03:30 -0800
Subject: [PATCH] [configtls] support setting cipher suites (#9168)

**Description:**
Add `cipher_suites` to configtls:
Users can specify a list of cipher suites to pick from. If left blank, a
safe default list is used.

**Link to tracking Issue:**
Fixes #8105

**Testing:**
Unit tests

**Documentation:**
godoc and README

---------

Co-authored-by: Alex Boten <aboten@lightstep.com>
---
 .chloggen/cipher_suites.yaml       | 26 ++++++++++++++++
 config/configtls/README.md         | 11 +++++++
 config/configtls/configtls.go      | 30 ++++++++++++++++++
 config/configtls/configtls_test.go | 49 ++++++++++++++++++++++++++++++
 4 files changed, 116 insertions(+)
 create mode 100755 .chloggen/cipher_suites.yaml

diff --git a/.chloggen/cipher_suites.yaml b/.chloggen/cipher_suites.yaml
new file mode 100755
index 00000000000..b7032599425
--- /dev/null
+++ b/.chloggen/cipher_suites.yaml
@@ -0,0 +1,26 @@
+# Use this changelog template to create an entry for release notes.
+
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+
+# The name of the component, or a single word describing the area of concern, (e.g. otlpreceiver)
+component: configtls
+
+# A brief description of the change.  Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: add `cipher_suites` to configtls.
+
+# One or more tracking issues or pull requests related to the change
+issues: [8105]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext: |
+  Users can specify a list of cipher suites to pick from. If left blank, a safe default list is used.
+
+# Optional: The change log or logs in which this entry should be included.
+# e.g. '[user]' or '[user, api]'
+# Include 'user' if the change is relevant to end users.
+# Include 'api' if there is a change to a library API.
+# Default: '[user]'
+change_logs: []
\ No newline at end of file
diff --git a/config/configtls/README.md b/config/configtls/README.md
index f8901de94fa..8732bf82f9b 100644
--- a/config/configtls/README.md
+++ b/config/configtls/README.md
@@ -48,6 +48,17 @@ __IMPORTANT__: TLS 1.0 and 1.1 are deprecated due to known vulnerabilities and s
 - `max_version` (default = "" handled by [crypto/tls](https://github.com/golang/go/blob/ed9db1d36ad6ef61095d5941ad9ee6da7ab6d05a/src/crypto/tls/common.go#L700) - currently TLS 1.3): Maximum acceptable TLS version.
   - options: ["1.0", "1.1", "1.2", "1.3"]
 
+Explicit cipher suites can be set. If left blank, a safe default list is used. See https://go.dev/src/crypto/tls/cipher_suites.go for a list of supported cipher suites.
+- `cipher_suites`: (default = []): List of cipher suites to use.
+
+Example:
+```
+  cipher_suites:
+    - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+    - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+```
+
 Additionally certificates may be reloaded by setting the below configuration.
 
 - `reload_interval` (optional) : ReloadInterval specifies the duration after which the certificate will be reloaded.
diff --git a/config/configtls/configtls.go b/config/configtls/configtls.go
index ca15f12d08b..b93f016c44c 100644
--- a/config/configtls/configtls.go
+++ b/config/configtls/configtls.go
@@ -6,6 +6,7 @@ package configtls // import "go.opentelemetry.io/collector/config/configtls"
 import (
 	"crypto/tls"
 	"crypto/x509"
+	"errors"
 	"fmt"
 	"os"
 	"path/filepath"
@@ -54,6 +55,11 @@ type TLSSetting struct {
 	// If not set, refer to crypto/tls for defaults. (optional)
 	MaxVersion string `mapstructure:"max_version"`
 
+	// CipherSuites is a list of TLS cipher suites that the TLS transport can use.
+	// If left blank, a safe default list is used.
+	// See https://go.dev/src/crypto/tls/cipher_suites.go for a list of supported cipher suites.
+	CipherSuites []string `mapstructure:"cipher_suites"`
+
 	// ReloadInterval specifies the duration after which the certificate will be reloaded
 	// If not set, it will never be reloaded (optional)
 	ReloadInterval time.Duration `mapstructure:"reload_interval"`
@@ -175,6 +181,10 @@ func (c TLSSetting) loadTLSConfig() (*tls.Config, error) {
 	if err != nil {
 		return nil, fmt.Errorf("invalid TLS max_version: %w", err)
 	}
+	cipherSuites, err := convertCipherSuites(c.CipherSuites)
+	if err != nil {
+		return nil, err
+	}
 
 	return &tls.Config{
 		RootCAs:              certPool,
@@ -182,9 +192,29 @@ func (c TLSSetting) loadTLSConfig() (*tls.Config, error) {
 		GetClientCertificate: getClientCertificate,
 		MinVersion:           minTLS,
 		MaxVersion:           maxTLS,
+		CipherSuites:         cipherSuites,
 	}, nil
 }
 
+func convertCipherSuites(cipherSuites []string) ([]uint16, error) {
+	var result []uint16
+	var errs []error
+	for _, suite := range cipherSuites {
+		found := false
+		for _, supported := range tls.CipherSuites() {
+			if suite == supported.Name {
+				result = append(result, supported.ID)
+				found = true
+				break
+			}
+		}
+		if !found {
+			errs = append(errs, fmt.Errorf("invalid TLS cipher suite: %q", suite))
+		}
+	}
+	return result, errors.Join(errs...)
+}
+
 func (c TLSSetting) loadCACertPool() (*x509.CertPool, error) {
 	// There is no need to load the System Certs for RootCAs because
 	// if the value is nil, it will default to checking against th System Certs.
diff --git a/config/configtls/configtls_test.go b/config/configtls/configtls_test.go
index db1658f1dbf..ca705434810 100644
--- a/config/configtls/configtls_test.go
+++ b/config/configtls/configtls_test.go
@@ -627,3 +627,52 @@ func TestMinMaxTLSVersions(t *testing.T) {
 		})
 	}
 }
+
+func TestCipherSuites(t *testing.T) {
+	tests := []struct {
+		name       string
+		tlsSetting TLSSetting
+		wantErr    string
+		result     []uint16
+	}{
+		{
+			name:       "no suites set",
+			tlsSetting: TLSSetting{},
+			result:     nil,
+		},
+		{
+			name: "one cipher suite set",
+			tlsSetting: TLSSetting{
+				CipherSuites: []string{"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"},
+			},
+			result: []uint16{tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
+		},
+		{
+			name: "invalid cipher suite set",
+			tlsSetting: TLSSetting{
+				CipherSuites: []string{"FOO"},
+			},
+			wantErr: `invalid TLS cipher suite: "FOO"`,
+		},
+		{
+			name: "multiple invalid cipher suites set",
+			tlsSetting: TLSSetting{
+				CipherSuites: []string{"FOO", "BAR"},
+			},
+			wantErr: `invalid TLS cipher suite: "FOO"
+invalid TLS cipher suite: "BAR"`,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			config, err := test.tlsSetting.loadTLSConfig()
+			if test.wantErr != "" {
+				assert.EqualError(t, err, test.wantErr)
+			} else {
+				assert.NoError(t, err)
+				assert.Equal(t, test.result, config.CipherSuites)
+			}
+		})
+	}
+}