Bump cfssl to 56268a6

vendor/github.com/cloudflare/cfssl/cli/serve/BUILD

@@ -14,6 +14,7 @@ go_library(
         "//vendor/github.com/cloudflare/cfssl/api/crl:go_default_library",
         "//vendor/github.com/cloudflare/cfssl/api/gencrl:go_default_library",
         "//vendor/github.com/cloudflare/cfssl/api/generator:go_default_library",
+        "//vendor/github.com/cloudflare/cfssl/api/health:go_default_library",
         "//vendor/github.com/cloudflare/cfssl/api/info:go_default_library",
         "//vendor/github.com/cloudflare/cfssl/api/initca:go_default_library",
         "//vendor/github.com/cloudflare/cfssl/api/ocsp:go_default_library",

vendor/github.com/cloudflare/cfssl/cli/serve/serve.go

@@ -20,6 +20,7 @@ import (
 	"github.com/cloudflare/cfssl/api/crl"
 	"github.com/cloudflare/cfssl/api/gencrl"
 	"github.com/cloudflare/cfssl/api/generator"
+	"github.com/cloudflare/cfssl/api/health"
 	"github.com/cloudflare/cfssl/api/info"
 	"github.com/cloudflare/cfssl/api/initca"
 	apiocsp "github.com/cloudflare/cfssl/api/ocsp"
@@ -45,21 +46,21 @@ import (
 var serverUsageText = `cfssl serve -- set up a HTTP server handles CF SSL requests
 
 Usage of serve:
-        cfssl serve [-address address] [-ca cert] [-ca-bundle bundle] \
+        cfssl serve [-address address] [-min-tls-version version] [-ca cert] [-ca-bundle bundle] \
                     [-ca-key key] [-int-bundle bundle] [-int-dir dir] [-port port] \
                     [-metadata file] [-remote remote_host] [-config config] \
-                    [-responder cert] [-responder-key key] [-tls-cert cert] [-tls-key key] \
-                    [-mutual-tls-ca ca] [-mutual-tls-cn regex] \
+                    [-responder cert] [-responder-key key] \
+                    [-tls-cert cert] [-tls-key key] [-mutual-tls-ca ca] [-mutual-tls-cn regex] \
                     [-tls-remote-ca ca] [-mutual-tls-client-cert cert] [-mutual-tls-client-key key] \
-                    [-db-config db-config]
+                    [-db-config db-config] [-disable endpoint[,endpoint]]
 
 Flags:
 `
 
 // Flags used by 'cfssl serve'
-var serverFlags = []string{"address", "port", "ca", "ca-key", "ca-bundle", "int-bundle", "int-dir", "metadata",
-	"remote", "config", "responder", "responder-key", "tls-key", "tls-cert", "mutual-tls-ca", "mutual-tls-cn",
-	"tls-remote-ca", "mutual-tls-client-cert", "mutual-tls-client-key", "db-config"}
+var serverFlags = []string{"address", "port", "min-tls-version", "ca", "ca-key", "ca-bundle", "int-bundle", "int-dir",
+	"metadata", "remote", "config", "responder", "responder-key", "tls-key", "tls-cert", "mutual-tls-ca",
+	"mutual-tls-cn", "tls-remote-ca", "mutual-tls-client-cert", "mutual-tls-client-key", "db-config", "disable"}
 
 var (
 	conf       cli.Config
@@ -80,7 +81,7 @@ func v1APIPath(path string) string {
 }
 
 // httpBox implements http.FileSystem which allows the use of Box with a http.FileServer.
-// Atempting to Open an API endpoint will result in an error.
+// Attempting to Open an API endpoint will result in an error.
 type httpBox struct {
 	*rice.Box
 	redirects map[string]string
@@ -241,13 +242,27 @@ var endpoints = map[string]func() (http.Handler, error){
 
 		return http.FileServer(staticBox), nil
 	},
+
+	"health": func() (http.Handler, error) {
+		return health.NewHealthCheck(), nil
+	},
 }
 
 // registerHandlers instantiates various handlers and associate them to corresponding endpoints.
 func registerHandlers() {
+	disabled := make(map[string]bool)
+	if conf.Disable != "" {
+		for _, endpoint := range strings.Split(conf.Disable, ",") {
+			disabled[endpoint] = true
+		}
+	}
+
 	for path, getHandler := range endpoints {
 		log.Debugf("getHandler for %s", path)
-		if handler, err := getHandler(); err != nil {
+
+		if _, ok := disabled[path]; ok {
+			log.Infof("endpoint '%s' is explicitly disabled", path)
+		} else if handler, err := getHandler(); err != nil {
 			log.Warningf("endpoint '%s' is disabled: %v", path, err)
 		} else {
 			if path, handler, err = wrapHandler(path, handler, err); err != nil {
@@ -298,6 +313,11 @@ func serverMain(args []string, c cli.Config) error {
 
 	addr := net.JoinHostPort(conf.Address, strconv.Itoa(conf.Port))
 
+	tlscfg := tls.Config{}
+	if conf.MinTLSVersion != "" {
+		tlscfg.MinVersion = helpers.StringTLSVersion(conf.MinTLSVersion)
+	}
+
 	if conf.TLSCertFile == "" || conf.TLSKeyFile == "" {
 		log.Info("Now listening on ", addr)
 		return http.ListenAndServe(addr, nil)
@@ -308,12 +328,12 @@ func serverMain(args []string, c cli.Config) error {
 			return fmt.Errorf("failed to load mutual TLS CA file: %s", err)
 		}
 
+		tlscfg.ClientAuth = tls.RequireAndVerifyClientCert
+		tlscfg.ClientCAs = clientPool
+
 		server := http.Server{
-			Addr: addr,
-			TLSConfig: &tls.Config{
-				ClientAuth: tls.RequireAndVerifyClientCert,
-				ClientCAs:  clientPool,
-			},
+			Addr:      addr,
+			TLSConfig: &tlscfg,
 		}
 
 		if conf.MutualTLSCNRegex != "" {
@@ -338,7 +358,11 @@ func serverMain(args []string, c cli.Config) error {
 		return server.ListenAndServeTLS(conf.TLSCertFile, conf.TLSKeyFile)
 	}
 	log.Info("Now listening on https://", addr)
-	return http.ListenAndServeTLS(addr, conf.TLSCertFile, conf.TLSKeyFile, nil)
+	server := http.Server{
+		Addr:      addr,
+		TLSConfig: &tlscfg,
+	}
+	return server.ListenAndServeTLS(conf.TLSCertFile, conf.TLSKeyFile)
 
 }