tls: set TLS v1.2 as the default minimal version for servers #19330
Conversation
|
Hi @derekguo001, welcome and thank you for your contribution. We will try to review your Pull Request as quickly as possible. In the meantime, please take a look at the contribution guidelines if you have not done so already. |
|
CC @envoyproxy/api-shepherds: Your approval is needed for changes made to |
| @@ -24,6 +24,7 @@ Minor Behavior Changes | |||
| * quic: add back the support for IETF draft 29 which is guarded via ``envoy.reloadable_features.FLAGS_quic_reloadable_flag_quic_disable_version_draft_29``. It is off by default so Envoy only supports RFCv1 without flipping this runtime guard explicitly. Draft 29 is not recommended for use. | |||
| * router: take elapsed time into account when setting the x-envoy-expected-rq-timeout-ms header for retries, and never send a value that's longer than the request timeout. This behavioral change can be temporarily reverted by setting runtime guard ``envoy.reloadable_features.update_expected_rq_timeout_on_retry`` to false. | |||
| * stream_info: response code details with empty space characters (' ', '\t', '\f', '\v', '\n', '\r') is not accepted by the ``setResponseCodeDetails()`` API. | |||
| * tls: remove TLS 1.0 and 1.1 from server defaults | |||
There was a problem hiding this comment.
| * tls: remove TLS 1.0 and 1.1 from server defaults | |
| * tls: set TLS v1.2 as the default minimal version for servers. |
And please add a link here to tls_minimum_protocol_version (specifying how the default can be modified).
There was a problem hiding this comment.
In addition, this should be moved to Incompatible Behavior Changes for better visibility.
| @@ -24,6 +24,7 @@ Minor Behavior Changes | |||
| * quic: add back the support for IETF draft 29 which is guarded via ``envoy.reloadable_features.FLAGS_quic_reloadable_flag_quic_disable_version_draft_29``. It is off by default so Envoy only supports RFCv1 without flipping this runtime guard explicitly. Draft 29 is not recommended for use. | |||
| * router: take elapsed time into account when setting the x-envoy-expected-rq-timeout-ms header for retries, and never send a value that's longer than the request timeout. This behavioral change can be temporarily reverted by setting runtime guard ``envoy.reloadable_features.update_expected_rq_timeout_on_retry`` to false. | |||
| * stream_info: response code details with empty space characters (' ', '\t', '\f', '\v', '\n', '\r') is not accepted by the ``setResponseCodeDetails()`` API. | |||
| * tls: remove TLS 1.0 and 1.1 from server defaults | |||
There was a problem hiding this comment.
In addition, this should be moved to Incompatible Behavior Changes for better visibility.
|
Thanks @ggreenway . I updated the code and resolved the CI failure. But it looks like a new CI sub-task timed out. |
derekguo001
changed the title
|
Retrying Azure Pipelines: |
|
Drive-by comment: This should be fine, but I'd wait with merging this right after after the release is cut on 1/15. Merging this days before the release doesn't give people enough time to catch issues in the real world. |
|
OK. @PiotrSikora Thanks. |
|
@ggreenway Sure, I'll update it after that. |
Remove TLS 1.0 and 1.1 from the default server TLS versions. Users can still explicitly opt-in to 1.0 and 1.1 using tls_minimum_protocol_version. Signed-off-by: derekguo001 <[email protected]>
|
/retest |
|
Retrying Azure Pipelines: |
|
/retest |
|
Retrying Azure Pipelines: |
…oxy#19330) Remove TLS 1.0 and 1.1 from the default server TLS versions. Users can still explicitly opt-in to 1.0 and 1.1 using tls_minimum_protocol_version. Signed-off-by: derekguo001 <[email protected]> Signed-off-by: Josh Perry <[email protected]>
Commit Message: Remove TLS 1.0 and 1.1 from the default server TLS versions. Users can still explicitly opt-in to 1.0 and 1.1 using tls_minimum_protocol_version.
Additional Description:
Risk Level: Low
Testing: updated
Docs Changes: updated
Release Notes: added
Platform Specific Features:
[Optional Runtime guard:]
[Optional Fixes #Issue] #5398 and checks off one box for #5401
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
[Optional API Considerations:]