From 58f8b3c3474e04e9a0091859ad21e665b93c425f Mon Sep 17 00:00:00 2001 From: "Gerasimos (Makis) Maropoulos" Date: Tue, 16 Jan 2018 12:51:28 +0200 Subject: [PATCH] Security fix for TLS-enabled servers, please read https://github.com/kataras/iris/blob/master/HISTORY.md#tu-16-jenuary-2018--v1002 Former-commit-id: 861f7a30cbb2309a1f16c5196ceb10b02a92b933 --- HISTORY.md | 11 +++++++ HISTORY_GR.md | 11 +++++++ HISTORY_ZH.md | 4 +++ README.md | 2 +- README_GR.md | 2 +- README_RU.md | 2 +- README_ZH.md | 2 +- VERSION | 2 +- core/host/supervisor.go | 62 ++++++++++++++----------------------- core/maintenance/version.go | 2 +- iris.go | 9 +++--- 11 files changed, 59 insertions(+), 50 deletions(-) diff --git a/HISTORY.md b/HISTORY.md index 581175ef..9532c2f0 100644 --- a/HISTORY.md +++ b/HISTORY.md @@ -17,6 +17,17 @@ Developers are not forced to upgrade if they don't really need it. Upgrade whene **How to upgrade**: Open your command-line and execute this command: `go get -u github.com/kataras/iris` or let the automatic updater do that for you. +# Tu, 16 Jenuary 2018 | v10.0.2 + +## Security | `iris.AutoTLS` + +**Every server should be upgraded to this version**, it contains fixes for the _tls-sni challenge disabled_ some days ago by letsencrypt.org which caused almost every https-enabled golang server to be unable to be functional, therefore support for the _http-01 challenge type_ added. Now the server is testing all available letsencrypt challenges. + +Read more at: + +- https://letsencrypt.status.io/pages/incident/55957a99e800baa4470002da/5a55777ed9a9c1024c00b241 +- https://github.com/golang/crypto/commit/13931e22f9e72ea58bb73048bc752b48c6d4d4ac + # Mo, 15 Jenuary 2018 | v10.0.1 Not any serious problems were found to be resolved here but one, the first one which is important for devs that used the [cache](cache) package. diff --git a/HISTORY_GR.md b/HISTORY_GR.md index 3da2cb89..a4beb019 100644 --- a/HISTORY_GR.md +++ b/HISTORY_GR.md @@ -17,6 +17,17 @@ **Πώς να αναβαθμίσετε**: Ανοίξτε την γραμμή εντολών σας και εκτελέστε αυτήν την εντολή: `go get -u github.com/kataras/iris` ή αφήστε το αυτόματο updater να το κάνει αυτό για σας. +# Tu, 16 Jenuary 2018 | v10.0.2 + +## Ασφάλεια | `iris.AutoTLS` + +**Όλοι οι servers πρέπει να αναβαθμιστούν σε αυτήν την έκδοση**, περιέχει διορθώσεις για το _tls-sni challenge_ το οποίο απενεργοποιήθηκε μερικές μέρες πριν από το letsencrypt.org το οποίο προκάλεσε σχεδόν όλα τα golang https-ενεργποιημένα servers να να μην είναι σε θέση να λειτουργήσουν, έτσι υποστήριξη για το _http-01 challenge_ προστέθηκε σαν αναπλήρωση. Πλέον ο διακομιστής δοκιμάζει όλες τις διαθέσιμες προκλήσεις(challeneges) letsencrypt. + +Διαβάστε περισσότερα: + +- https://letsencrypt.status.io/pages/incident/55957a99e800baa4470002da/5a55777ed9a9c1024c00b241 +- https://github.com/golang/crypto/commit/13931e22f9e72ea58bb73048bc752b48c6d4d4ac + # Mo, 15 Jenuary 2018 | v10.0.1 - διόρθωση του cache handler που δεν δούλευε όπως έπρεπε όταν γινόταν εγγραφή σε πάνω από ένα handler, παλιότερα ήταν ένα cache handler προς ένα route handler, τώρα το ίδιο handler μπορεί να καταχωρηθεί σε όσα route handlers θέλετε https://github.com/kataras/iris/pull/852, όπως είχε αναφερθεί στο https://github.com/kataras/iris/issues/850 diff --git a/HISTORY_ZH.md b/HISTORY_ZH.md index 08ef49d6..04985655 100644 --- a/HISTORY_ZH.md +++ b/HISTORY_ZH.md @@ -17,6 +17,10 @@ **如何升级**: 打开命令行执行以下命令: `go get -u github.com/kataras/iris` 或者等待自动更新。 +# Tu, 16 Jenuary 2018 | v10.0.2 + +Translation is not available yet, please take a look at the [english version of this history entry](https://github.com/kataras/iris/blob/master/HISTORY.md#tu-16-jenuary-2018--v1002) instead. + # 2018 1月15号 | v10.0.1 版本更新 该版本暂未发现重大问题,但如果你使用 [cache](cache) 包的话,这里有些更新或许正好解决某些问题。 diff --git a/README.md b/README.md index 2c8480eb..45aa4116 100644 --- a/README.md +++ b/README.md @@ -106,7 +106,7 @@ _Updated at: [Tuesday, 21 November 2017](_benchmarks/README_UNIX.md)_ ## Support -- [HISTORY](HISTORY.md#mo-15-jenuary-2018--v1001) file is your best friend, it contains information about the latest features and changes +- [HISTORY](HISTORY.md#tu-16-jenuary-2018--v1002) file is your best friend, it contains information about the latest features and changes - Did you happen to find a bug? Post it at [github issues](https://github.com/kataras/iris/issues) - Do you have any questions or need to speak with someone experienced to solve a problem at real-time? Join us to the [community chat](https://chat.iris-go.com) - Complete our form-based user experience report by clicking [here](https://docs.google.com/forms/d/e/1FAIpQLSdCxZXPANg_xHWil4kVAdhmh7EBBHQZ_4_xSZVDL-oCC_z5pA/viewform?usp=sf_link) diff --git a/README_GR.md b/README_GR.md index 14378dc6..cc6d0e14 100644 --- a/README_GR.md +++ b/README_GR.md @@ -108,7 +108,7 @@ _Η τελευταία ενημέρωση έγινε την [Τρίτη, 21 Νο ## Υποστήριξη -- To [HISTORY](HISTORY_GR.md#mo-15-jenuary-2018--v1001) αρχείο είναι ο καλύτερος σας φίλος, περιέχει πληροφορίες σχετικά με τις τελευταίες λειτουργίες(features) και αλλαγές +- To [HISTORY](HISTORY_GR.md#tu-16-jenuary-2018--v1002) αρχείο είναι ο καλύτερος σας φίλος, περιέχει πληροφορίες σχετικά με τις τελευταίες λειτουργίες(features) και αλλαγές - Μήπως τυχαίνει να βρήκατε κάποιο bug; Δημοσιεύστε το στα [github issues](https://github.com/kataras/iris/issues) - Έχετε οποιεσδήποτε ερωτήσεις ή πρέπει να μιλήσετε με κάποιον έμπειρο για την επίλυση ενός προβλήματος σε πραγματικό χρόνο; Ελάτε μαζί μας στην [συνομιλία κοινότητας](https://chat.iris-go.com) - Συμπληρώστε την αναφορά εμπειρίας χρήστη κάνοντας κλικ [εδώ](https://docs.google.com/forms/d/e/1FAIpQLSdCxZXPANg_xHWil4kVAdhmh7EBBHQZ_4_xSZVDL-oCC_z5pA/viewform?usp=sf_link) diff --git a/README_RU.md b/README_RU.md index 09495551..85bcb688 100644 --- a/README_RU.md +++ b/README_RU.md @@ -106,7 +106,7 @@ _Обновлено: [Вторник, 21 ноября 2017 г.](_benchmarks/READ ## Поддержка -- Файл [HISTORY](HISTORY.md#mo-15-jenuary-2018--v1001) - ваш лучший друг, он содержит информацию о последних особенностях и всех изменениях +- Файл [HISTORY](HISTORY.md#tu-16-jenuary-2018--v1002) - ваш лучший друг, он содержит информацию о последних особенностях и всех изменениях - Вы случайно обнаружили ошибку? Опубликуйте ее на [Github вопросы](https://github.com/kataras/iris/issues) - У Вас есть какие-либо вопросы или Вам нужно поговорить с кем-то, кто бы смог решить Вашу проблему в режиме реального времени? Присоединяйтесь к нам в [чате сообщества](https://chat.iris-go.com) - Заполните наш отчет о пользовательском опыте на основе формы, нажав [здесь](https://docs.google.com/forms/d/e/1FAIpQLSdCxZXPANg_xHWil4kVAdhmh7EBBHQZ_4_xSZVDL-oCC_z5pA/viewform?usp=sf_link) diff --git a/README_ZH.md b/README_ZH.md index 5931b944..ec21ab48 100644 --- a/README_ZH.md +++ b/README_ZH.md @@ -102,7 +102,7 @@ _更新于: [2017年11月21日星期二](_benchmarks/README_UNIX.md)_ ## 支持 -- [更新记录](HISTORY_ZH.md#mo-15-jenuary-2018--v1001) 是您最好的朋友,它包含有关最新功能和更改的信息 +- [更新记录](HISTORY_ZH.md#tu-16-jenuary-2018--v1002) 是您最好的朋友,它包含有关最新功能和更改的信息 - 你碰巧找到了一个错误? 请提交 [github issues](https://github.com/kataras/iris/issues) - 您是否有任何疑问或需要与有经验的人士交谈以实时解决问题? [加入我们的聊天](https://chat.iris-go.com) - [点击这里完成我们基于表单的用户体验报告](https://docs.google.com/forms/d/e/1FAIpQLSdCxZXPANg_xHWil4kVAdhmh7EBBHQZ_4_xSZVDL-oCC_z5pA/viewform?usp=sf_link) diff --git a/VERSION b/VERSION index b3fd8049..b9a02d3a 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -10.0.1:https://github.com/kataras/iris/blob/master/HISTORY.md#mo-15-jenuary-2018--v1001 \ No newline at end of file +10.0.2:https://github.com/kataras/iris/blob/master/HISTORY.md#tu-16-jenuary-2018--v1002 \ No newline at end of file diff --git a/core/host/supervisor.go b/core/host/supervisor.go index b31c291f..cdbe775f 100644 --- a/core/host/supervisor.go +++ b/core/host/supervisor.go @@ -5,7 +5,6 @@ import ( "crypto/tls" "net" "net/http" - "net/url" "strings" "sync" "sync/atomic" @@ -285,9 +284,10 @@ func (su *Supervisor) ListenAndServeTLS(certFile string, keyFile string) error { // stores and retrieves previously-obtained certificates. // If empty, certs will only be cached for the lifetime of the auto tls manager. // -// Note: If domain is not empty and the server's port was "443" then -// it will start a new server, automatically for you, which will redirect all -// http versions to their https as well. +// Note: The domain should be like "iris-go.com www.iris-go.com", +// the e-mail like "kataras2006@hotmail.com" and the cacheDir like "letscache" +// The `ListenAndServeAutoTLS` will start a new server for you, +// which will redirect all http versions to their https, including subdomains as well. func (su *Supervisor) ListenAndServeAutoTLS(domain string, email string, cacheDir string) error { var ( cache autocert.Cache @@ -310,7 +310,25 @@ func (su *Supervisor) ListenAndServeAutoTLS(domain string, email string, cacheDi Cache: cache, } - cfg := &tls.Config{ + srv2 := &http.Server{ + ReadTimeout: 30 * time.Second, + WriteTimeout: 60 * time.Second, + Addr: ":http", + Handler: autoTLSManager.HTTPHandler(nil), // nil for redirect. + } + + // register a shutdown callback to this + // supervisor in order to close the "secondary redirect server" as well. + su.RegisterOnShutdown(func() { + // give it some time to close itself... + timeout := 5 * time.Second + ctx, cancel := context.WithTimeout(context.Background(), timeout) + defer cancel() + srv2.Shutdown(ctx) + }) + go srv2.ListenAndServe() + + su.Server.TLSConfig = &tls.Config{ GetCertificate: autoTLSManager.GetCertificate, MinVersion: tls.VersionTLS10, PreferServerCipherSuites: true, @@ -318,40 +336,6 @@ func (su *Supervisor) ListenAndServeAutoTLS(domain string, email string, cacheDi tls.X25519, }, } - - su.Server.TLSConfig = cfg - - // Redirect all http://$path requests to their - // https://$path versions if a specific domain is passed on - // and the port was 443. - if hostPolicy != nil && netutil.ResolvePort(su.Server.Addr) == 443 { - // find the first domain if more than one. - spaceIdx := strings.IndexByte(domain, ' ') - if spaceIdx != -1 { - domain = domain[0:spaceIdx] - } - // create the url for the secured server. - target, err := url.Parse("https://" + domain) - if err != nil { - return err - } - - // create the redirect server. - redirectSrv := NewRedirection(":80", target, -1) - // register a shutdown callback to this - // supervisor in order to close the "secondary redirect server" as well. - su.RegisterOnShutdown(func() { - // give it some time to close itself... - timeout := 5 * time.Second - ctx, cancel := context.WithTimeout(context.Background(), timeout) - defer cancel() - redirectSrv.Shutdown(ctx) - }) - - // start that redirect server using a different goroutine. - go redirectSrv.ListenAndServe() - } - return su.ListenAndServeTLS("", "") } diff --git a/core/maintenance/version.go b/core/maintenance/version.go index 04e68446..a12c7ad1 100644 --- a/core/maintenance/version.go +++ b/core/maintenance/version.go @@ -13,7 +13,7 @@ import ( const ( // Version is the string representation of the current local Iris Web Framework version. - Version = "10.0.1" + Version = "10.0.2" ) // CheckForUpdates checks for any available updates diff --git a/iris.go b/iris.go index 7b4149ae..6c6205bd 100644 --- a/iris.go +++ b/iris.go @@ -559,7 +559,7 @@ func TLS(addr string, certFile, keyFile string, hostConfigs ...host.Configurator // certifications created on the fly by the "autocert" golang/x package, // so localhost may not be working, use it at "production" machine. // -// Addr should have the form of [host]:port, i.e mydomain.com:443 or :443. +// Addr should have the form of [host]:port, i.e mydomain.com:443. // // The whitelisted domains are separated by whitespace in "domain" argument, // i.e "iris-go.com", can be different than "addr". @@ -572,9 +572,8 @@ func TLS(addr string, certFile, keyFile string, hostConfigs ...host.Configurator // // For an "e-mail" use a non-public one, letsencrypt needs that for your own security. // -// Note: If domain is not empty and the server's port was "443" then -// it will start a new server, automatically for you, which will redirect all -// http versions to their https as well. +// Note: `AutoTLS` will start a new server for you +// which will redirect all http versions to their https, including subdomains as well. // // Last argument is optional, it accepts one or more // `func(*host.Configurator)` that are being executed @@ -586,7 +585,7 @@ func TLS(addr string, certFile, keyFile string, hostConfigs ...host.Configurator // Look at the `ConfigureHost` too. // // Usage: -// app.Run(iris.AutoTLS(":443", "example.com", "mail@example.com")) +// app.Run(iris.AutoTLS("iris-go.com:443", "iris-go.com www.iris-go.com", "mail@example.com")) // // See `Run` and `core/host/Supervisor#ListenAndServeAutoTLS` for more. func AutoTLS(