Preserve Mozilla v5.8 old TLS profile and harden update script (#2632)

- Move oldTLSProfile to a static old_profile.go (removed from v6+ spec)
- Add version-based early exit to update-tls-profiles.sh
- Validate profile existence, tls_versions, ciphers, and curves fields
- Make jq/sed/cat invocations null-safe and consistently quote variables
- Add unit tests for old profile content; fix global state leak in tests

Signed-off-by: Todd Short <tshort@redhat.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: tmshort

hack/tools/update-tls-profiles.sh

@@ -8,52 +8,112 @@ if [ -z "${JQ}" ]; then
 fi
 
 OUTPUT=internal/shared/util/tlsprofiles/mozilla_data.go
-INPUT=https://ssl-config.mozilla.org/guidelines/5.8.json
+INPUT=https://ssl-config.mozilla.org/guidelines/latest.json
 
 TMPFILE="$(mktemp)"
 trap 'rm -rf "$TMPFILE"' EXIT
 
-curl -L -s ${INPUT} > ${TMPFILE}
+if ! curl -L -s -f "${INPUT}" > "${TMPFILE}"; then
+    echo "ERROR: Failed to download ${INPUT} (HTTP error or connection failure)" >&2
+    exit 1
+fi
+
+if ! ${JQ} empty "${TMPFILE}" 2>/dev/null; then
+    echo "ERROR: Downloaded data from ${INPUT} is not valid JSON" >&2
+    exit 1
+fi
 
-version=$(${JQ} -r '.version' ${TMPFILE})
+# Extract stored version from current output file (may be empty on first run)
+STORED_VERSION=$(grep '^// DATA VERSION:' "${OUTPUT}" 2>/dev/null | awk '{print $4}' || true)
 
-cat > ${OUTPUT} <<EOF
+# Extract version from downloaded JSON and fail early if missing
+NEW_VERSION=$(${JQ} -r '.version' "${TMPFILE}")
+if [ -z "${NEW_VERSION}" ] || [ "${NEW_VERSION}" = "null" ]; then
+    echo "ERROR: Could not read .version from ${INPUT}" >&2
+    exit 1
+fi
+
+if [ "${NEW_VERSION}" = "${STORED_VERSION}" ]; then
+    echo "Mozilla TLS data is already at version ${NEW_VERSION}, skipping regeneration."
+    exit 0
+fi
+echo "Updating Mozilla TLS data from version ${STORED_VERSION:-unknown} to ${NEW_VERSION}"
+
+cat > "${OUTPUT}" <<EOF
 package tlsprofiles
 
 // DO NOT EDIT, GENERATED BY ${0}
 // DATA SOURCE: ${INPUT}
-// DATA VERSION: ${version}
+// DATA VERSION: ${NEW_VERSION}
 
 import (
 "crypto/tls"
 )
 EOF
 
 function generate_profile {
-    cat >> ${OUTPUT} <<EOF
-
-var ${1}TLSProfile = tlsProfile{
+    local profile="${1}"
+
+    # Validate the profile key exists before writing any output
+    local exists
+    exists=$(${JQ} -r ".configurations | has(\"${profile}\")" "${TMPFILE}")
+    if [ "${exists}" != "true" ]; then
+        echo "ERROR: Profile '${profile}' not found in ${INPUT} (version ${NEW_VERSION})" >&2
+        echo "Available profiles: $(${JQ} -r '.configurations | keys | join(", ")' "${TMPFILE}")" >&2
+        exit 1
+    fi
+
+    # Validate tls_versions is a non-empty array with a non-null first entry
+    if ! ${JQ} -e ".configurations.${profile}.tls_versions | type == \"array\" and length > 0 and .[0] != null" "${TMPFILE}" >/dev/null; then
+        echo "ERROR: Missing or empty .configurations.${profile}.tls_versions[0] in ${INPUT}" >&2
+        exit 1
+    fi
+
+    # Validate that at least one cipher is present across ciphersuites and ciphers.iana
+    # (modern has only ciphersuites; intermediate has both; either alone is valid)
+    local cipher_count
+    cipher_count=$(${JQ} -r "
+        [
+            (.configurations.${profile}.ciphersuites // []),
+            (.configurations.${profile}.ciphers.iana // [])
+        ] | add | length" "${TMPFILE}")
+    if [ "${cipher_count}" -eq 0 ] 2>/dev/null; then
+        echo "ERROR: Profile '${profile}' has no ciphers in ciphersuites or ciphers.iana" >&2
+        exit 1
+    fi
+
+    # Validate tls_curves is non-empty
+    local curve_count
+    curve_count=$(${JQ} -r ".configurations.${profile}.tls_curves | length" "${TMPFILE}")
+    if [ "${curve_count}" -eq 0 ] 2>/dev/null; then
+        echo "ERROR: Profile '${profile}' has no entries in tls_curves" >&2
+        exit 1
+    fi
+
+    cat >> "${OUTPUT}" <<EOF
+
+var ${profile}TLSProfile = tlsProfile{
 ciphers: cipherSlice{
 cipherNums: []uint16{
 EOF
 
-    ${JQ} -r ".configurations.$1.ciphersuites.[] | . |= \"tls.\" + . + \",\"" ${TMPFILE} >> ${OUTPUT}
-    ${JQ} -r ".configurations.$1.ciphers.iana[] | . |= \"tls.\" + . + \",\"" ${TMPFILE} >> ${OUTPUT}
+    ${JQ} -r "(.configurations.${profile}.ciphersuites // [])[] | . |= \"tls.\" + . + \",\"" "${TMPFILE}" >> "${OUTPUT}"
+    ${JQ} -r "(.configurations.${profile}.ciphers.iana // [])[] | . |= \"tls.\" + . + \",\"" "${TMPFILE}" >> "${OUTPUT}"
 
-    cat >> ${OUTPUT} <<EOF
+    cat >> "${OUTPUT}" <<EOF
 },
 },
 curves: curveSlice{
 curveNums: []tls.CurveID{
 EOF
 
-    ${JQ} -r ".configurations.$1.tls_curves[] | . |= . + \",\"" ${TMPFILE} >> ${OUTPUT}
+    ${JQ} -r ".configurations.${profile}.tls_curves[] | . |= . + \",\"" "${TMPFILE}" >> "${OUTPUT}"
 
-    version=$(${JQ} -r ".configurations.$1.tls_versions[0]" ${TMPFILE})
+    version=$(${JQ} -r ".configurations.${profile}.tls_versions[0]" "${TMPFILE}")
     version=${version/TLSv1./tls.VersionTLS1}
     version=${version/TLSv1/tls.VersionTLS10}
 
-    cat >> ${OUTPUT} <<EOF
+    cat >> "${OUTPUT}" <<EOF
 },
 },
 minTLSVersion: ${version},
@@ -63,11 +123,10 @@ EOF
 
 generate_profile "modern"
 generate_profile "intermediate"
-generate_profile "old"
 
-# Remove unsupported ciphers from Go's crypto/tls package (Mozilla v5.8 includes these but Go doesn't support them)
-sed -i.bak '/TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384/d; /TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384/d; /TLS_RSA_WITH_AES_256_CBC_SHA256/d' ${OUTPUT}
-rm -f ${OUTPUT}.bak
+# Remove unsupported ciphers from Go's crypto/tls package
+sed -i.bak '/TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384/d; /TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384/d; /TLS_RSA_WITH_AES_256_CBC_SHA256/d' "${OUTPUT}"
+rm -f "${OUTPUT}.bak"
 
 # Make go happy
-go fmt ${OUTPUT}
+go fmt "${OUTPUT}"

internal/shared/util/tlsprofiles/mozilla_data.go

@@ -1,8 +1,8 @@
 package tlsprofiles
 
 // DO NOT EDIT, GENERATED BY hack/tools/update-tls-profiles.sh
-// DATA SOURCE: https://ssl-config.mozilla.org/guidelines/5.8.json
-// DATA VERSION: 5.8
+// DATA SOURCE: https://ssl-config.mozilla.org/guidelines/latest.json
+// DATA VERSION: 6
 
 import (
 	"crypto/tls"
@@ -51,40 +51,3 @@ var intermediateTLSProfile = tlsProfile{
 	},
 	minTLSVersion: tls.VersionTLS12,
 }
-
-var oldTLSProfile = tlsProfile{
-	ciphers: cipherSlice{
-		cipherNums: []uint16{
-			tls.TLS_AES_128_GCM_SHA256,
-			tls.TLS_AES_256_GCM_SHA384,
-			tls.TLS_CHACHA20_POLY1305_SHA256,
-			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
-			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
-			tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
-			tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
-			tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
-			tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
-			tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
-			tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
-			tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
-			tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
-			tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
-			tls.TLS_RSA_WITH_AES_128_CBC_SHA,
-			tls.TLS_RSA_WITH_AES_256_CBC_SHA,
-			tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
-		},
-	},
-	curves: curveSlice{
-		curveNums: []tls.CurveID{
-			X25519MLKEM768,
-			X25519,
-			prime256v1,
-			secp384r1,
-		},
-	},
-	minTLSVersion: tls.VersionTLS10,
-}

internal/shared/util/tlsprofiles/old_profile.go

@@ -0,0 +1,47 @@
+package tlsprofiles
+
+// This file contains a static copy of the Mozilla "old" TLS compatibility profile
+// from version 5.8 of the SSL Configuration Generator. The "old" profile was
+// removed from the Mozilla specification in later versions but is preserved here
+// for backward compatibility with older clients.
+//
+// Source: https://ssl-config.mozilla.org/guidelines/5.8.json
+
+import "crypto/tls"
+
+var oldTLSProfile = tlsProfile{
+	ciphers: cipherSlice{
+		cipherNums: []uint16{
+			tls.TLS_AES_128_GCM_SHA256,
+			tls.TLS_AES_256_GCM_SHA384,
+			tls.TLS_CHACHA20_POLY1305_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+			tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
+			tls.TLS_RSA_WITH_AES_128_CBC_SHA,
+			tls.TLS_RSA_WITH_AES_256_CBC_SHA,
+			tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+		},
+	},
+	curves: curveSlice{
+		curveNums: []tls.CurveID{
+			X25519MLKEM768,
+			X25519,
+			prime256v1,
+			secp384r1,
+		},
+	},
+	minTLSVersion: tls.VersionTLS10,
+}

internal/shared/util/tlsprofiles/tlsprofiles_test.go

@@ -1,40 +1,20 @@
 package tlsprofiles
 
 import (
+	"crypto/tls"
 	"testing"
 
 	"github.com/stretchr/testify/require"
 )
 
-func TestGetProfiles(t *testing.T) {
-	tests := []struct {
-		name   tlsProfileName
-		result bool
-	}{
-		{"modern", true},
-		{"intermediate", true},
-		{"old", true},
-		{"custom", true},
-		{"does-not-exist", false},
-	}
-
-	for _, test := range tests {
-		p, err := findTLSProfile(test.name)
-		if !test.result {
-			require.Error(t, err)
-		} else {
-			require.NoError(t, err)
-			require.NotNil(t, p)
-		}
-	}
-}
-
 func TestGetTLSConfigFunc(t *testing.T) {
 	f, err := GetTLSConfigFunc()
 	require.NoError(t, err)
 	require.NotNil(t, f)
 
-	// Set an invalid profile
+	// Set an invalid profile and restore afterwards
+	orig := configuredProfile
+	t.Cleanup(func() { configuredProfile = orig })
 	configuredProfile = "does-not-exist"
 	f, err = GetTLSConfigFunc()
 	require.Error(t, err)
@@ -114,6 +94,7 @@ func TestSetCustomCurves(t *testing.T) {
 		name   string
 		result bool
 	}{
+		{"X25519MLKEM768", true}, // Post-quantum hybrid curve (Go 1.24+)
 		{"X25519", true},
 		{"prime256v1", true},
 		{"secp384r1", true},
@@ -158,3 +139,28 @@ func TestSetCustomVersion(t *testing.T) {
 		}
 	}
 }
+
+func TestOldProfileMinVersion(t *testing.T) {
+	require.EqualValues(t, tls.VersionTLS10, oldTLSProfile.minTLSVersion)
+}
+
+func TestOldProfileCiphers(t *testing.T) {
+	ciphers := oldTLSProfile.ciphers.cipherNums
+	// v5.8 old profile has exactly 21 ciphers
+	require.Len(t, ciphers, 21, "old profile cipher count changed unexpectedly")
+	// Legacy CBC cipher present in old but not modern/intermediate
+	require.Contains(t, ciphers, tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA)
+	// Most legacy cipher (3DES insecure)
+	require.Contains(t, ciphers, tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA)
+	// TLS 1.3 cipher shared with all profiles
+	require.Contains(t, ciphers, tls.TLS_AES_128_GCM_SHA256)
+}
+
+func TestProfilesMapCompleteness(t *testing.T) {
+	for _, name := range []string{"modern", "intermediate", "old", "custom"} {
+		p, err := findTLSProfile(tlsProfileName(name))
+		require.NoErrorf(t, err, "profile %q must be in profiles map", name)
+		require.NotNilf(t, p, "profile %q must not be nil", name)
+	}
+	require.GreaterOrEqual(t, len(profiles), 4, "profiles map must contain at least the required built-in profiles")
+}