feat(tls): allow configuring TLS versions and cipher suites (#575)

* feat(tls): allow configuring TLS versions and cipher suites

Expose configuration options for TLS MinVersion, MaxVersion, and CipherSuites
backed by crypto/tls. This allows LiveKit to interoperate with providers that
require non-default or legacy TLS configurations.

* fix(tls): Change the accepted format of TLS version

Author: NikToloknov

pkg/config/config.go

@@ -54,6 +54,14 @@ type TLSConfig struct {
 	ListenPort int       `yaml:"port_listen"` // SIP signaling port to listen on
 	Certs      []TLSCert `yaml:"certs"`
 	KeyLog     string    `yaml:"key_log"`
+
+	MinVersion string `yaml:"min_version"` // min TLS version, accepts: "tls1.0", "tls1.1", "tls1.2", "tls1.3"
+	MaxVersion string `yaml:"max_version"` // max TLS version, accepts: "tls1.0", "tls1.1", "tls1.2", "tls1.3"
+
+	// CipherSuites is an optional list of cipher suite names.
+	// If not provided, Go's secure defaults are used.
+	// Note: Only applies to TLS 1.0-1.2; TLS 1.3 cipher suites are not configurable.
+	CipherSuites []string `yaml:"cipher_suites"`
 }
 
 type TCPConfig struct {

pkg/sip/service.go

@@ -259,6 +259,29 @@ func (s *Service) Start() error {
 			Certificates: certs,
 			KeyLogWriter: keyLog,
 		}
+
+		if len(tconf.CipherSuites) > 0 {
+			suits, err := parseCipherSuites(s.log, tconf.CipherSuites)
+			if err != nil {
+				return err
+			}
+			tlsConf.CipherSuites = suits
+		}
+		if tconf.MinVersion != "" {
+			minVer, err := parseTLSVersion(tconf.MinVersion)
+			if err != nil {
+				return err
+			}
+			tlsConf.MinVersion = minVer
+		}
+		if tconf.MaxVersion != "" {
+			maxVer, err := parseTLSVersion(tconf.MaxVersion)
+			if err != nil {
+				return err
+			}
+			tlsConf.MaxVersion = maxVer
+		}
+
 		ConfigureTLS(tlsConf)
 		opts = append(opts, sipgo.WithUserAgenTLSConfig(tlsConf))
 	}

pkg/sip/tls.go

@@ -18,8 +18,18 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"errors"
+
+	"github.com/livekit/protocol/logger"
 )
 
+func makeTLSCipherMap(CipherSuites []*tls.CipherSuite) map[string]*tls.CipherSuite {
+	cipherSuitesMap := make(map[string]*tls.CipherSuite)
+	for _, c := range CipherSuites {
+		cipherSuitesMap[c.Name] = c
+	}
+	return cipherSuitesMap
+}
+
 func ConfigureTLS(c *tls.Config) {
 	// We can't use default cert verification, because SIP headers usually specify IP address instead of a hostname.
 	// At least, we could validate certificate chain using VerifyPeerCertificate and ignore the server name for now.
@@ -49,3 +59,47 @@ func ConfigureTLS(c *tls.Config) {
 		return nil
 	}
 }
+
+// parseCipherSuites parses cipher suite names to uint16 IDs.
+// Logs a warning for each insecure cipher suite configured.
+func parseCipherSuites(log logger.Logger, suites []string) ([]uint16, error) {
+	if len(suites) == 0 {
+		return nil, nil
+	}
+
+	parsedCipherSuites := []uint16{}
+	cipherSuite := makeTLSCipherMap(tls.CipherSuites())
+	insecureCipherSuite := makeTLSCipherMap(tls.InsecureCipherSuites())
+
+	for _, suite := range suites {
+		if cipher, ok := cipherSuite[suite]; ok {
+			parsedCipherSuites = append(parsedCipherSuites, cipher.ID)
+		} else if cipher, ok := insecureCipherSuite[suite]; ok {
+			parsedCipherSuites = append(parsedCipherSuites, cipher.ID)
+			log.Warnw("using insecure TLS cipher suite", nil, "cipherSuite", suite)
+		} else {
+			return nil, errors.New("unknown cipher suite: " + suite)
+		}
+	}
+
+	return parsedCipherSuites, nil
+}
+
+// parseTLSVersion parses a TLS version string to its uint16 constant.
+// Accepts formats: "tls1.0", "tls1.1", "tls1.2", "tls1.3" or "TLS1.0", "TLS1.1", "TLS1.2", "TLS1.3".
+func parseTLSVersion(version string) (uint16, error) {
+	switch version {
+	case "":
+		return 0, nil
+	case "tls1.0", "TLS1.0":
+		return tls.VersionTLS10, nil
+	case "tls1.1", "TLS1.1":
+		return tls.VersionTLS11, nil
+	case "tls1.2", "TLS1.2":
+		return tls.VersionTLS12, nil
+	case "tls1.3", "TLS1.3":
+		return tls.VersionTLS13, nil
+	default:
+		return 0, errors.New("unknown TLS version: " + version)
+	}
+}

pkg/sip/tls_test.go

@@ -0,0 +1,138 @@
+package sip
+
+import (
+	"crypto/tls"
+	"testing"
+
+	"github.com/livekit/protocol/logger"
+	"github.com/stretchr/testify/require"
+)
+
+func TestParseCipherSuites(t *testing.T) {
+	log := logger.GetLogger()
+
+	t.Run("valid cipher suites - secure", func(t *testing.T) {
+		cipherSuites := []string{
+			"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+			"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
+			"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+		}
+
+		suites, err := parseCipherSuites(log, cipherSuites)
+
+		require.NoError(t, err)
+		require.Equal(t, len(cipherSuites), len(suites))
+		require.Equal(t, uint16(tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256), suites[0])
+		require.Equal(t, uint16(tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA), suites[1])
+		require.Equal(t, uint16(tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256), suites[2])
+	})
+
+	t.Run("valid cipher suites - insecure", func(t *testing.T) {
+		cipherSuites := []string{
+			"TLS_RSA_WITH_RC4_128_SHA",
+			"TLS_RSA_WITH_3DES_EDE_CBC_SHA",
+			"TLS_ECDHE_RSA_WITH_RC4_128_SHA",
+		}
+
+		suites, err := parseCipherSuites(log, cipherSuites)
+
+		require.NoError(t, err)
+		require.Equal(t, len(cipherSuites), len(suites))
+		require.Equal(t, uint16(tls.TLS_RSA_WITH_RC4_128_SHA), suites[0])
+		require.Equal(t, uint16(tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA), suites[1])
+		require.Equal(t, uint16(tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA), suites[2])
+	})
+
+	t.Run("cipher suite - mixed", func(t *testing.T) {
+		cipherSuites := []string{
+			"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+			"TLS_ECDHE_RSA_WITH_RC4_128_SHA",
+		}
+
+		suites, err := parseCipherSuites(log, cipherSuites)
+
+		require.NoError(t, err)
+		require.Equal(t, len(cipherSuites), len(suites))
+		require.Equal(t, uint16(tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256), suites[0])
+		require.Equal(t, uint16(tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA), suites[1])
+	})
+
+	t.Run("invalid cipher site", func(t *testing.T) {
+		cipherSuites := []string{
+			"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
+			"INVALID_CIPHER_SUITE",
+		}
+
+		_, err := parseCipherSuites(log, cipherSuites)
+
+		require.Error(t, err)
+		require.Contains(t, err.Error(), "unknown cipher suite: INVALID_CIPHER_SUITE")
+	})
+}
+func TestParseTLSVersion(t *testing.T) {
+	t.Run("empty string", func(t *testing.T) {
+		version, err := parseTLSVersion("")
+		require.NoError(t, err)
+		require.Equal(t, uint16(0), version)
+	})
+
+	t.Run("TLS 1.0 - lowercase format", func(t *testing.T) {
+		version, err := parseTLSVersion("tls1.0")
+		require.NoError(t, err)
+		require.Equal(t, uint16(tls.VersionTLS10), version)
+	})
+
+	t.Run("TLS 1.0 - uppercase format", func(t *testing.T) {
+		version, err := parseTLSVersion("TLS1.0")
+		require.NoError(t, err)
+		require.Equal(t, uint16(tls.VersionTLS10), version)
+	})
+
+	t.Run("TLS 1.1 - lowercase format", func(t *testing.T) {
+		version, err := parseTLSVersion("tls1.1")
+		require.NoError(t, err)
+		require.Equal(t, uint16(tls.VersionTLS11), version)
+	})
+
+	t.Run("TLS 1.1 - uppercase format", func(t *testing.T) {
+		version, err := parseTLSVersion("TLS1.1")
+		require.NoError(t, err)
+		require.Equal(t, uint16(tls.VersionTLS11), version)
+	})
+
+	t.Run("TLS 1.2 - lowercase format", func(t *testing.T) {
+		version, err := parseTLSVersion("tls1.2")
+		require.NoError(t, err)
+		require.Equal(t, uint16(tls.VersionTLS12), version)
+	})
+
+	t.Run("TLS 1.2 - uppercase format", func(t *testing.T) {
+		version, err := parseTLSVersion("TLS1.2")
+		require.NoError(t, err)
+		require.Equal(t, uint16(tls.VersionTLS12), version)
+	})
+
+	t.Run("TLS 1.3 - lowercase format", func(t *testing.T) {
+		version, err := parseTLSVersion("tls1.3")
+		require.NoError(t, err)
+		require.Equal(t, uint16(tls.VersionTLS13), version)
+	})
+
+	t.Run("TLS 1.3 - uppercase format", func(t *testing.T) {
+		version, err := parseTLSVersion("TLS1.3")
+		require.NoError(t, err)
+		require.Equal(t, uint16(tls.VersionTLS13), version)
+	})
+
+	t.Run("invalid version", func(t *testing.T) {
+		_, err := parseTLSVersion("tls1.4")
+		require.Error(t, err)
+		require.Contains(t, err.Error(), "unknown TLS version: tls1.4")
+	})
+
+	t.Run("invalid format", func(t *testing.T) {
+		_, err := parseTLSVersion("TLS 1.2")
+		require.Error(t, err)
+		require.Contains(t, err.Error(), "unknown TLS version: TLS 1.2")
+	})
+}