fix(tls): centralize the TLS configuration to ensure FIPS compliance BE-11979 (#960)

api/http/handler/endpoints/endpoint_create.go

@@ -1,7 +1,6 @@
 package endpoints
 
 import (
-	"crypto/tls"
 	"errors"
 	"net/http"
 	"runtime"
@@ -285,8 +284,6 @@ func (handler *Handler) endpointCreate(w http.ResponseWriter, r *http.Request) *
 }
 
 func (handler *Handler) createEndpoint(tx dataservices.DataStoreTx, payload *endpointCreatePayload) (*portainer.Endpoint, *httperror.HandlerError) {
-	var err error
-
 	switch payload.EndpointCreationType {
 	case azureEnvironment:
 		return handler.createAzureEndpoint(tx, payload)
@@ -301,12 +298,9 @@ func (handler *Handler) createEndpoint(tx dataservices.DataStoreTx, payload *end
 	endpointType := portainer.DockerEnvironment
 	var agentVersion string
 	if payload.EndpointCreationType == agentEnvironment {
-		var tlsConfig *tls.Config
-		if payload.TLS {
-			tlsConfig, err = crypto.CreateTLSConfigurationFromBytes(payload.TLSCACertFile, payload.TLSCertFile, payload.TLSKeyFile, payload.TLSSkipVerify, payload.TLSSkipClientVerify)
-			if err != nil {
-				return nil, httperror.InternalServerError("Unable to create TLS configuration", err)
-			}
+		tlsConfig, err := crypto.CreateTLSConfigurationFromBytes(payload.TLS, payload.TLSCACertFile, payload.TLSCertFile, payload.TLSKeyFile, payload.TLSSkipVerify, payload.TLSSkipClientVerify)
+		if err != nil {
+			return nil, httperror.InternalServerError("Unable to create TLS configuration", err)
 		}
 
 		agentPlatform, version, err := agent.GetAgentVersionAndPlatform(payload.URL, tlsConfig)

api/http/handler/websocket/initdial.go

@@ -21,16 +21,14 @@ func initDial(endpoint *portainer.Endpoint) (net.Conn, error) {
 		host = url.Path
 	}
 
-	if endpoint.TLSConfig.TLS {
-		tlsConfig, err := crypto.CreateTLSConfigurationFromDisk(endpoint.TLSConfig.TLSCACertPath, endpoint.TLSConfig.TLSCertPath, endpoint.TLSConfig.TLSKeyPath, endpoint.TLSConfig.TLSSkipVerify)
-		if err != nil {
-			return nil, err
-		}
-
-		return tls.Dial(url.Scheme, host, tlsConfig)
+	if !endpoint.TLSConfig.TLS {
+		return createDial(url.Scheme, host)
 	}
 
-	con, err := createDial(url.Scheme, host)
+	tlsConfig, err := crypto.CreateTLSConfigurationFromDisk(endpoint.TLSConfig)
+	if err != nil {
+		return nil, err
+	}
 
-	return con, err
+	return tls.Dial(url.Scheme, host, tlsConfig)
 }

api/http/handler/websocket/initdial_test.go

@@ -0,0 +1,64 @@
+package websocket
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestInitDial(t *testing.T) {
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer srv.Close()
+
+	tlsSrv := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer tlsSrv.Close()
+
+	f := func(srvURL string) {
+		u, err := url.Parse(srvURL)
+		require.NoError(t, err)
+
+		isTLS := u.Scheme == "https"
+
+		u.Scheme = "tcp"
+
+		endpoint := &portainer.Endpoint{
+			URL: u.String(),
+			TLSConfig: portainer.TLSConfiguration{
+				TLS:           isTLS,
+				TLSSkipVerify: true,
+			},
+		}
+
+		// Valid configuration
+		conn, err := initDial(endpoint)
+		require.NoError(t, err)
+		require.NotNil(t, conn)
+
+		err = conn.Close()
+		require.NoError(t, err)
+
+		if !isTLS {
+			return
+		}
+
+		// Invalid TLS configuration
+		endpoint.TLSConfig.TLSCertPath = "/invalid/path/client.crt"
+		endpoint.TLSConfig.TLSKeyPath = "/invalid/path/client.key"
+
+		conn, err = initDial(endpoint)
+		require.Error(t, err)
+		require.Nil(t, conn)
+	}
+
+	f(srv.URL)
+	f(tlsSrv.URL)
+}