diff --git a/api/envoy/api/v2/auth/cert.proto b/api/envoy/api/v2/auth/cert.proto index 7268af005efc..4ff763945f4c 100644 --- a/api/envoy/api/v2/auth/cert.proto +++ b/api/envoy/api/v2/auth/cert.proto @@ -35,7 +35,8 @@ message TlsParameters { TLSv1_3 = 4; } - // Minimum TLS protocol version. By default, it's ``TLSv1_0``. + // Minimum TLS protocol version. By default, it's ``TLSv1_2`` for clients and ``TLSv1_0`` for + // servers. TlsProtocol tls_minimum_protocol_version = 1 [(validate.rules).enum = {defined_only: true}]; // Maximum TLS protocol version. By default, it's ``TLSv1_3`` for servers in non-FIPS builds, and diff --git a/api/envoy/api/v3alpha/auth/cert.proto b/api/envoy/api/v3alpha/auth/cert.proto index 1b6bd9cd43bd..9dd6a068a37b 100644 --- a/api/envoy/api/v3alpha/auth/cert.proto +++ b/api/envoy/api/v3alpha/auth/cert.proto @@ -35,7 +35,8 @@ message TlsParameters { TLSv1_3 = 4; } - // Minimum TLS protocol version. By default, it's ``TLSv1_0``. + // Minimum TLS protocol version. By default, it's ``TLSv1_2`` for clients and ``TLSv1_0`` for + // servers. TlsProtocol tls_minimum_protocol_version = 1 [(validate.rules).enum = {defined_only: true}]; // Maximum TLS protocol version. By default, it's ``TLSv1_3`` for servers in non-FIPS builds, and diff --git a/docs/root/intro/version_history.rst b/docs/root/intro/version_history.rst index 0688662013b0..b8f85e468fc7 100644 --- a/docs/root/intro/version_history.rst +++ b/docs/root/intro/version_history.rst @@ -4,6 +4,7 @@ Version history 1.13.0 (pending) ================ * tcp_proxy: added :ref:`hash_policy` +* tls: remove TLS 1.0 and 1.1 from client defaults 1.12.0 (October 31, 2019) ========================= diff --git a/source/extensions/transport_sockets/tls/context_config_impl.cc b/source/extensions/transport_sockets/tls/context_config_impl.cc index e7bcc9f6610b..6c8a79d60a8d 100644 --- a/source/extensions/transport_sockets/tls/context_config_impl.cc +++ b/source/extensions/transport_sockets/tls/context_config_impl.cc @@ -273,7 +273,7 @@ unsigned ContextConfigImpl::tlsVersionFromProto( NOT_REACHED_GCOVR_EXCL_LINE; } -const unsigned ClientContextConfigImpl::DEFAULT_MIN_VERSION = TLS1_VERSION; +const unsigned ClientContextConfigImpl::DEFAULT_MIN_VERSION = TLS1_2_VERSION; const unsigned ClientContextConfigImpl::DEFAULT_MAX_VERSION = TLS1_2_VERSION; const std::string ClientContextConfigImpl::DEFAULT_CIPHER_SUITES = diff --git a/test/extensions/transport_sockets/tls/ssl_socket_test.cc b/test/extensions/transport_sockets/tls/ssl_socket_test.cc index 70889394feb7..30c5d112094f 100644 --- a/test/extensions/transport_sockets/tls/ssl_socket_test.cc +++ b/test/extensions/transport_sockets/tls/ssl_socket_test.cc @@ -3328,17 +3328,21 @@ TEST_P(SslSocketTest, ProtocolVersions) { server_params->clear_tls_minimum_protocol_version(); server_params->clear_tls_maximum_protocol_version(); - // Connection using defaults (client) and TLSv1.0 (server) succeeds. + TestUtilOptionsV2 unsupported_protocol_test_options(listener, client, false, GetParam()); + unsupported_protocol_test_options.setExpectedServerStats("ssl.connection_error") + .setExpectedTransportFailureReasonContains("UNSUPPORTED_PROTOCOL"); + + // Connection using defaults (client) and TLSv1.0 (server) fails. server_params->set_tls_minimum_protocol_version(envoy::api::v2::auth::TlsParameters::TLSv1_0); server_params->set_tls_maximum_protocol_version(envoy::api::v2::auth::TlsParameters::TLSv1_0); - testUtilV2(tls_v1_test_options); + testUtilV2(unsupported_protocol_test_options); server_params->clear_tls_minimum_protocol_version(); server_params->clear_tls_maximum_protocol_version(); - // Connection using defaults (client) and TLSv1.1 (server) succeeds. + // Connection using defaults (client) and TLSv1.1 (server) fails. server_params->set_tls_minimum_protocol_version(envoy::api::v2::auth::TlsParameters::TLSv1_1); server_params->set_tls_maximum_protocol_version(envoy::api::v2::auth::TlsParameters::TLSv1_1); - testUtilV2(tls_v1_1_test_options); + testUtilV2(unsupported_protocol_test_options); server_params->clear_tls_minimum_protocol_version(); server_params->clear_tls_maximum_protocol_version();