From 959b35d9741e0478209445fa5960d50346cd4ca6 Mon Sep 17 00:00:00 2001 From: Derek McGowan Date: Wed, 18 Mar 2015 14:52:49 -0700 Subject: [PATCH] Update auth client configuration to use proper tls config Currently the http clients used by auth use the default tls config. The config needs to be updated to only support TLS1.0 and newer as well as respect registry insecure configuration. Signed-off-by: Derek McGowan (github: dmcgowan) --- registry/auth.go | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/registry/auth.go b/registry/auth.go index 3207c87e82..bb91c95c00 100644 --- a/registry/auth.go +++ b/registry/auth.go @@ -1,6 +1,7 @@ package registry import ( + "crypto/tls" "encoding/base64" "encoding/json" "errors" @@ -70,10 +71,19 @@ func (auth *RequestAuthorization) getToken() (string, error) { return auth.tokenCache, nil } + tlsConfig := tls.Config{ + MinVersion: tls.VersionTLS10, + } + if !auth.registryEndpoint.IsSecure { + tlsConfig.InsecureSkipVerify = true + } + client := &http.Client{ Transport: &http.Transport{ DisableKeepAlives: true, - Proxy: http.ProxyFromEnvironment}, + Proxy: http.ProxyFromEnvironment, + TLSClientConfig: &tlsConfig, + }, CheckRedirect: AddRequiredHeadersToRedirectedRequests, } factory := HTTPRequestFactory(nil) @@ -362,10 +372,18 @@ func loginV1(authConfig *AuthConfig, registryEndpoint *Endpoint, factory *utils. func loginV2(authConfig *AuthConfig, registryEndpoint *Endpoint, factory *utils.HTTPRequestFactory) (string, error) { log.Debugf("attempting v2 login to registry endpoint %s", registryEndpoint) + tlsConfig := tls.Config{ + MinVersion: tls.VersionTLS10, + } + if !registryEndpoint.IsSecure { + tlsConfig.InsecureSkipVerify = true + } + client := &http.Client{ Transport: &http.Transport{ DisableKeepAlives: true, Proxy: http.ProxyFromEnvironment, + TLSClientConfig: &tlsConfig, }, CheckRedirect: AddRequiredHeadersToRedirectedRequests, }