Preserve Mozilla v5.8 old TLS profile and harden update script

- Move oldTLSProfile to a static old_profile.go (removed from v6+ spec)
- Add version-based early exit to update-tls-profiles.sh
- Add profile existence and tls_versions field validation in script
- Add unit tests for old profile content and X25519MLKEM768 curve

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Todd Short <tshort@redhat.com>

Author: tmshort

hack/tools/update-tls-profiles.sh

@@ -8,37 +8,91 @@ if [ -z "${JQ}" ]; then
 fi
 
 OUTPUT=internal/shared/util/tlsprofiles/mozilla_data.go
-INPUT=https://ssl-config.mozilla.org/guidelines/5.8.json
+INPUT=https://ssl-config.mozilla.org/guidelines/latest.json
 
 TMPFILE="$(mktemp)"
 trap 'rm -rf "$TMPFILE"' EXIT
 
 curl -L -s ${INPUT} > ${TMPFILE}
 
-version=$(${JQ} -r '.version' ${TMPFILE})
+# Extract stored version from current output file (may be empty on first run)
+STORED_VERSION=$(grep '^// DATA VERSION:' "${OUTPUT}" 2>/dev/null | awk '{print $4}' || true)
+
+# Extract version from downloaded JSON and fail early if missing
+NEW_VERSION=$(${JQ} -r '.version' ${TMPFILE})
+if [ -z "${NEW_VERSION}" ] || [ "${NEW_VERSION}" = "null" ]; then
+    echo "ERROR: Could not read .version from ${INPUT}" >&2
+    exit 1
+fi
+
+if [ "${NEW_VERSION}" = "${STORED_VERSION}" ]; then
+    echo "Mozilla TLS data is already at version ${NEW_VERSION}, skipping regeneration."
+    exit 0
+fi
+echo "Updating Mozilla TLS data from version ${STORED_VERSION:-unknown} to ${NEW_VERSION}"
 
 cat > ${OUTPUT} <<EOF
 package tlsprofiles
 
 // DO NOT EDIT, GENERATED BY ${0}
 // DATA SOURCE: ${INPUT}
-// DATA VERSION: ${version}
+// DATA VERSION: ${NEW_VERSION}
 
 import (
 "crypto/tls"
 )
 EOF
 
 function generate_profile {
+    local profile="$1"
+
+    # Validate the profile key exists before writing any output
+    local exists
+    exists=$(${JQ} -r ".configurations | has(\"${profile}\")" "${TMPFILE}")
+    if [ "${exists}" != "true" ]; then
+        echo "ERROR: Profile '${profile}' not found in ${INPUT} (version ${NEW_VERSION})" >&2
+        echo "Available profiles: $(${JQ} -r '.configurations | keys | join(", ")' "${TMPFILE}")" >&2
+        exit 1
+    fi
+
+    # Validate tls_versions exists (required for Go code generation)
+    local has_versions
+    has_versions=$(${JQ} -r ".configurations.${profile} | has(\"tls_versions\")" "${TMPFILE}")
+    if [ "${has_versions}" != "true" ]; then
+        echo "ERROR: Profile '${profile}' is missing required field 'tls_versions'" >&2
+        exit 1
+    fi
+
+    # Validate that at least one cipher is present across ciphersuites and ciphers.iana
+    # (modern has only ciphersuites; intermediate has both; either alone is valid)
+    local cipher_count
+    cipher_count=$(${JQ} -r "
+        [
+            (.configurations.${profile}.ciphersuites // []),
+            (.configurations.${profile}.ciphers.iana // [])
+        ] | add | length" "${TMPFILE}")
+    if [ "${cipher_count}" -eq 0 ] 2>/dev/null; then
+        echo "ERROR: Profile '${profile}' has no ciphers in ciphersuites or ciphers.iana" >&2
+        exit 1
+    fi
+
+    # Validate tls_curves is non-empty
+    local curve_count
+    curve_count=$(${JQ} -r ".configurations.${profile}.tls_curves | length" "${TMPFILE}")
+    if [ "${curve_count}" -eq 0 ] 2>/dev/null; then
+        echo "ERROR: Profile '${profile}' has no entries in tls_curves" >&2
+        exit 1
+    fi
+
     cat >> ${OUTPUT} <<EOF
 
-var ${1}TLSProfile = tlsProfile{
+var ${profile}TLSProfile = tlsProfile{
 ciphers: cipherSlice{
 cipherNums: []uint16{
 EOF
 
-    ${JQ} -r ".configurations.$1.ciphersuites.[] | . |= \"tls.\" + . + \",\"" ${TMPFILE} >> ${OUTPUT}
-    ${JQ} -r ".configurations.$1.ciphers.iana[] | . |= \"tls.\" + . + \",\"" ${TMPFILE} >> ${OUTPUT}
+    ${JQ} -r ".configurations.$profile.ciphersuites.[] | . |= \"tls.\" + . + \",\"" ${TMPFILE} >> ${OUTPUT}
+    ${JQ} -r ".configurations.$profile.ciphers.iana[] | . |= \"tls.\" + . + \",\"" ${TMPFILE} >> ${OUTPUT}
 
     cat >> ${OUTPUT} <<EOF
 },
@@ -47,9 +101,9 @@ curves: curveSlice{
 curveNums: []tls.CurveID{
 EOF
 
-    ${JQ} -r ".configurations.$1.tls_curves[] | . |= . + \",\"" ${TMPFILE} >> ${OUTPUT}
+    ${JQ} -r ".configurations.$profile.tls_curves[] | . |= . + \",\"" ${TMPFILE} >> ${OUTPUT}
 
-    version=$(${JQ} -r ".configurations.$1.tls_versions[0]" ${TMPFILE})
+    version=$(${JQ} -r ".configurations.$profile.tls_versions[0]" ${TMPFILE})
     version=${version/TLSv1./tls.VersionTLS1}
     version=${version/TLSv1/tls.VersionTLS10}
 
@@ -63,9 +117,8 @@ EOF
 
 generate_profile "modern"
 generate_profile "intermediate"
-generate_profile "old"
 
-# Remove unsupported ciphers from Go's crypto/tls package (Mozilla v5.8 includes these but Go doesn't support them)
+# Remove unsupported ciphers from Go's crypto/tls package
 sed -i.bak '/TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384/d; /TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384/d; /TLS_RSA_WITH_AES_256_CBC_SHA256/d' ${OUTPUT}
 rm -f ${OUTPUT}.bak
 

internal/shared/util/tlsprofiles/mozilla_data.go

@@ -1,8 +1,8 @@
 package tlsprofiles
 
 // DO NOT EDIT, GENERATED BY hack/tools/update-tls-profiles.sh
-// DATA SOURCE: https://ssl-config.mozilla.org/guidelines/5.8.json
-// DATA VERSION: 5.8
+// DATA SOURCE: https://ssl-config.mozilla.org/guidelines/latest.json
+// DATA VERSION: 6
 
 import (
 	"crypto/tls"
@@ -51,40 +51,3 @@ var intermediateTLSProfile = tlsProfile{
 	},
 	minTLSVersion: tls.VersionTLS12,
 }
-
-var oldTLSProfile = tlsProfile{
-	ciphers: cipherSlice{
-		cipherNums: []uint16{
-			tls.TLS_AES_128_GCM_SHA256,
-			tls.TLS_AES_256_GCM_SHA384,
-			tls.TLS_CHACHA20_POLY1305_SHA256,
-			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
-			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
-			tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
-			tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
-			tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
-			tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
-			tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
-			tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
-			tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
-			tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
-			tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
-			tls.TLS_RSA_WITH_AES_128_CBC_SHA,
-			tls.TLS_RSA_WITH_AES_256_CBC_SHA,
-			tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
-		},
-	},
-	curves: curveSlice{
-		curveNums: []tls.CurveID{
-			X25519MLKEM768,
-			X25519,
-			prime256v1,
-			secp384r1,
-		},
-	},
-	minTLSVersion: tls.VersionTLS10,
-}

internal/shared/util/tlsprofiles/old_profile.go

@@ -0,0 +1,47 @@
+package tlsprofiles
+
+// This file contains a static copy of the Mozilla "old" TLS compatibility profile
+// from version 5.8 of the SSL Configuration Generator. The "old" profile was
+// removed from the Mozilla specification in later versions but is preserved here
+// for backward compatibility with older clients.
+//
+// Source: https://ssl-config.mozilla.org/guidelines/5.8.json
+
+import "crypto/tls"
+
+var oldTLSProfile = tlsProfile{
+	ciphers: cipherSlice{
+		cipherNums: []uint16{
+			tls.TLS_AES_128_GCM_SHA256,
+			tls.TLS_AES_256_GCM_SHA384,
+			tls.TLS_CHACHA20_POLY1305_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+			tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
+			tls.TLS_RSA_WITH_AES_128_CBC_SHA,
+			tls.TLS_RSA_WITH_AES_256_CBC_SHA,
+			tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+		},
+	},
+	curves: curveSlice{
+		curveNums: []tls.CurveID{
+			X25519MLKEM768,
+			X25519,
+			prime256v1,
+			secp384r1,
+		},
+	},
+	minTLSVersion: tls.VersionTLS10,
+}

internal/shared/util/tlsprofiles/tlsprofiles_test.go

@@ -1,6 +1,7 @@
 package tlsprofiles
 
 import (
+	"crypto/tls"
 	"testing"
 
 	"github.com/stretchr/testify/require"
@@ -114,6 +115,7 @@ func TestSetCustomCurves(t *testing.T) {
 		name   string
 		result bool
 	}{
+		{"X25519MLKEM768", true}, // Post-quantum hybrid curve (Go 1.24+)
 		{"X25519", true},
 		{"prime256v1", true},
 		{"secp384r1", true},
@@ -158,3 +160,41 @@ func TestSetCustomVersion(t *testing.T) {
 		}
 	}
 }
+
+func TestOldProfileMinVersion(t *testing.T) {
+	require.Equal(t, tls.VersionTLS10, int(oldTLSProfile.minTLSVersion))
+}
+
+func TestOldProfileCiphers(t *testing.T) {
+	ciphers := oldTLSProfile.ciphers.cipherNums
+	// v5.8 old profile has exactly 21 ciphers
+	require.Len(t, ciphers, 21, "old profile cipher count changed unexpectedly")
+	// Legacy CBC cipher present in old but not modern/intermediate
+	require.Contains(t, ciphers, uint16(tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA))
+	// Most legacy cipher (3DES insecure)
+	require.Contains(t, ciphers, uint16(tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA))
+	// TLS 1.3 cipher shared with all profiles
+	require.Contains(t, ciphers, uint16(tls.TLS_AES_128_GCM_SHA256))
+}
+
+func TestProfilesMapCompleteness(t *testing.T) {
+	for _, name := range []string{"modern", "intermediate", "old", "custom"} {
+		p, err := findTLSProfile(tlsProfileName(name))
+		require.NoErrorf(t, err, "profile %q must be in profiles map", name)
+		require.NotNilf(t, p, "profile %q must not be nil", name)
+	}
+	require.Len(t, profiles, 4, "unexpected profile count; update test if adding a new profile")
+}
+
+// TestX25519MLKEM768InProfiles verifies that the post-quantum hybrid curve
+// X25519MLKEM768 (added in Go 1.24) is present in all three named profiles.
+// This curve is part of the Mozilla recommendation and its presence should be
+// guarded against accidental removal.
+func TestX25519MLKEM768InProfiles(t *testing.T) {
+	for _, name := range []string{"modern", "intermediate", "old"} {
+		p, err := findTLSProfile(tlsProfileName(name))
+		require.NoError(t, err)
+		require.Containsf(t, p.curves.curveNums, tls.CurveID(X25519MLKEM768),
+			"profile %q must include X25519MLKEM768", name)
+	}
+}