tls: enable the selection of more TLS settings (prometheus#1695)

tls: enable the selection of more TLS settings
* Rename `tls_config` to `tls_server_config`.
* Add new http server config with HTTP/2 enabled by default.

Signed-off-by: Julien Pivotto <roidelapluie@inuits.eu>

Author: Julien Pivotto

https/README.md

@@ -14,18 +14,48 @@ The config file should be written in YAML format, and is reloaded on each connec
 ## Sample Config
 
 ```
-tls_config:
-  # Certificate and key files for server to use to authenticate to client
+tls_server_config:
+  # Certificate and key files for server to use to authenticate to client.
   cert_file: <filename>
   key_file: <filename>
 
-  # Server policy for client authentication. Maps to ClientAuth Policies
+  # Server policy for client authentication. Maps to ClientAuth Policies.
   # For more detail on clientAuth options: [ClientAuthType](https://golang.org/pkg/crypto/tls/#ClientAuthType)
   [ client_auth_type: <string> | default = "NoClientCert" ]
 
-  # CA certificate for client certificate authentication to the server
+  # CA certificate for client certificate authentication to the server.
   [ client_ca_file: <filename> ]
 
+  # Minimum TLS version that is acceptable.
+  [ min_version: <string> | default = "TLS12" ]
+
+  # Maximum TLS version that is acceptable.
+  [ max_version: <string> | default = "TLS13" ]
+
+  # List of supported cipher suites for TLS versions up to TLS 1.2. If empty,
+  # Go default cipher suites are used. Available cipher suites are documented
+  # in the go documentation:
+  # https://golang.org/pkg/crypto/tls/#pkg-constants
+  [ cipher_suites:
+    [ - <string> ] ]
+
+  # prefer_server_cipher_suites controls whether the server selects the
+  # client's most preferred ciphersuite, or the server's most preferred
+  # ciphersuite. If true then the server's preference, as expressed in
+  # the order of elements in cipher_suites, is used.
+  [ prefer_server_cipher_suites: <bool> | default = true ]
+
+  # Elliptic curves that will be used in an ECDHE handshake, in preference
+  # order. Available curves are documented in the go documentation:
+  # https://golang.org/pkg/crypto/tls/#CurveID
+  [ curve_preferences:
+    [ - <string> ] ]
+
+http_server_config:
+  # Enable HTTP/2 support. Note that HTTP/2 is only supported with TLS.
+  # This can not be changed on the fly.
+  [ http2: <bool> | default = true ]
+
 # List of usernames and hashed passwords that have full access to the web
 # server via basic authentication. If empty, no basic authentication is
 # required. Passwords are hashed with bcrypt.

https/testdata/tls_config_auth_clientCAs_invalid.bad.yml

@@ -1,4 +1,4 @@
-tls_config :
+tls_server_config :
   cert_file : "testdata/server.crt"
   key_file : "testdata/server.key"
   client_ca_file : "somefile"

https/testdata/tls_config_auth_clientCAs_missing.bad.yml

@@ -1,4 +1,4 @@
-tls_config :
+tls_server_config :
   cert_file : "testdata/server.crt"
   key_file : "testdata/server.key"
   client_auth_type : "RequireAndVerifyClientCert"

https/testdata/tls_config_auth_user_list_invalid.bad.yml

@@ -1,4 +1,4 @@
-tls_config :
+tls_server_config :
   cert_file : "testdata/server.crt"
   key_file : "testdata/server.key"
 basic_auth_users:

https/testdata/tls_config_junk_key.yml

@@ -1,2 +1,2 @@
-tls_config :
+tls_server_config :
   cert_filse: "testdata/server.crt"

https/testdata/tls_config_noAuth.bad.yml

@@ -1,4 +1,4 @@
-tls_config :
+tls_server_config :
   cert_file : "testdata/server.crt"
   key_file : "testdata/server.key"
   client_ca_file : "testdata/tls-ca-chain.pem" 

https/testdata/tls_config_noAuth.good.blocking.yml

@@ -1,4 +1,4 @@
-tls_config :
+tls_server_config :
   cert_file : "testdata/server.crt"
   key_file : "testdata/server.key"
   client_auth_type : "RequireAndVerifyClientCert"

https/testdata/tls_config_noAuth.good.yml

@@ -1,4 +1,4 @@
-tls_config :
+tls_server_config :
   cert_file : "testdata/server.crt"
   key_file : "testdata/server.key"
   client_auth_type : "VerifyClientCertIfGiven"

https/testdata/tls_config_noAuth_allCiphers.good.yml

@@ -0,0 +1,26 @@
+tls_server_config :
+  cert_file : "testdata/server.crt"
+  key_file : "testdata/server.key"
+  client_auth_type : "VerifyClientCertIfGiven"
+  client_ca_file : "testdata/tls-ca-chain.pem"
+  cipher_suites:
+  - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+  - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+  - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+  - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+  - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+  - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+  - TLS_AES_128_GCM_SHA256
+  - TLS_AES_256_GCM_SHA384
+  - TLS_CHACHA20_POLY1305_SHA256
+  - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
+  - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
+  - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
+  - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
+  - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
+  - TLS_RSA_WITH_3DES_EDE_CBC_SHA
+  - TLS_RSA_WITH_AES_128_CBC_SHA
+  - TLS_RSA_WITH_AES_256_CBC_SHA
+  - TLS_RSA_WITH_AES_128_GCM_SHA256
+  - TLS_RSA_WITH_AES_256_GCM_SHA384
+

https/testdata/tls_config_noAuth_allCurves.good.yml

@@ -0,0 +1,10 @@
+tls_server_config :
+  cert_file : "testdata/server.crt"
+  key_file : "testdata/server.key"
+  client_auth_type : "VerifyClientCertIfGiven"
+  client_ca_file : "testdata/tls-ca-chain.pem"
+  curve_preferences:
+    - CurveP256
+    - CurveP384
+    - CurveP521
+    - X25519