fix(tls): centralize the TLS configuration to ensure FIPS compliance BE-11979 (#960)

2025-08-05 05:45:22 +02:00 · 2025-08-01 22:23:59 -03:00 · 2025-08-01 22:23:59 -03:00 · 163aa57e5c
commit 163aa57e5c
parent 3eab294908
25 changed files with 454 additions and 112 deletions
--- a/api/stacks/deployments/deploy.go
+++ b/api/stacks/deployments/deploy.go
@ -2,7 +2,6 @@ package deployments

 import (
 	"cmp"
-	"crypto/tls"
 	"fmt"
 	"strconv"
 	"time"
@ -215,13 +214,9 @@ func isEnvironmentOnline(endpoint *portainer.Endpoint) bool {
 		return true
 	}

-	var err error
-	var tlsConfig *tls.Config
-	if endpoint.TLSConfig.TLS {
-		tlsConfig, err = crypto.CreateTLSConfigurationFromDisk(endpoint.TLSConfig.TLSCACertPath, endpoint.TLSConfig.TLSCertPath, endpoint.TLSConfig.TLSKeyPath, endpoint.TLSConfig.TLSSkipVerify)
-		if err != nil {
-			return false
-		}
+	tlsConfig, err := crypto.CreateTLSConfigurationFromDisk(endpoint.TLSConfig)
+	if err != nil {
+		return false
 	}

 	_, _, err = agent.GetAgentVersionAndPlatform(endpoint.URL, tlsConfig)
--- a/api/stacks/deployments/deploy_test.go
+++ b/api/stacks/deployments/deploy_test.go
@ -10,6 +10,7 @@ import (
 	"testing"

 	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/crypto"
 	"github.com/portainer/portainer/api/datastore"
 	gittypes "github.com/portainer/portainer/api/git/types"
 	"github.com/portainer/portainer/api/internal/testhelpers"
@ -127,9 +128,8 @@ func agentServer(t *testing.T) string {
 	cert, err := tls.X509KeyPair([]byte(localhostCert), []byte(localhostKey))
 	require.NoError(t, err)

-	tlsConfig := &tls.Config{
-		Certificates: []tls.Certificate{cert},
-	}
+	tlsConfig := crypto.CreateTLSConfiguration()
+	tlsConfig.Certificates = []tls.Certificate{cert}

 	l, err := tls.Listen("tcp", "127.0.0.1:0", tlsConfig)
 	require.NoError(t, err)