Update auth client configuration to use proper tls config

Currently the http clients used by auth use the default tls config. The config needs to be updated to only support TLS1.0 and newer as well as respect registry insecure configuration. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2022-11-09 12:21:53 -05:00 · 2015-03-18 14:52:49 -07:00 · 2015-03-18 14:52:49 -07:00 · 959b35d974
commit 959b35d974
parent f42acd070a
1 changed files with 19 additions and 1 deletions
--- a/registry/auth.go
+++ b/registry/auth.go
@ -1,6 +1,7 @@
 package registry

 import (
+	"crypto/tls"
 	"encoding/base64"
 	"encoding/json"
 	"errors"
@ -70,10 +71,19 @@ func (auth *RequestAuthorization) getToken() (string, error) {
 		return auth.tokenCache, nil
 	}

+	tlsConfig := tls.Config{
+		MinVersion: tls.VersionTLS10,
+	}
+	if !auth.registryEndpoint.IsSecure {
+		tlsConfig.InsecureSkipVerify = true
+	}
+
 	client := &http.Client{
 		Transport: &http.Transport{
 			DisableKeepAlives: true,
-			Proxy:             http.ProxyFromEnvironment},
+			Proxy:             http.ProxyFromEnvironment,
+			TLSClientConfig:   &tlsConfig,
+		},
 		CheckRedirect: AddRequiredHeadersToRedirectedRequests,
 	}
 	factory := HTTPRequestFactory(nil)
@ -362,10 +372,18 @@ func loginV1(authConfig *AuthConfig, registryEndpoint *Endpoint, factory *utils.
 func loginV2(authConfig *AuthConfig, registryEndpoint *Endpoint, factory *utils.HTTPRequestFactory) (string, error) {
 	log.Debugf("attempting v2 login to registry endpoint %s", registryEndpoint)

+	tlsConfig := tls.Config{
+		MinVersion: tls.VersionTLS10,
+	}
+	if !registryEndpoint.IsSecure {
+		tlsConfig.InsecureSkipVerify = true
+	}
+
 	client := &http.Client{
 		Transport: &http.Transport{
 			DisableKeepAlives: true,
 			Proxy:             http.ProxyFromEnvironment,
+			TLSClientConfig:   &tlsConfig,
 		},
 		CheckRedirect: AddRequiredHeadersToRedirectedRequests,
 	}