Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tls: remove 1.0 and 1.1 from client defaults #8755

Merged
merged 5 commits into from
Nov 5, 2019
Merged

tls: remove 1.0 and 1.1 from client defaults #8755

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
9d4bf31
tls: remove 1.0 and 1.1 from client defaults
derekargueta Oct 24, 2019
2dbed96
fix version history format
derekargueta Oct 24, 2019
00ab6a6
Merge branch 'master' into dereka/tls-defaults
derekargueta Nov 5, 2019
d3e465d
move changelog from 1.12 to 1.13
derekargueta Nov 5, 2019
991b91e
remove stray paste
derekargueta Nov 5, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion api/envoy/api/v2/auth/cert.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,8 @@ message TlsParameters {
TLSv1_3 = 4;
}

// Minimum TLS protocol version. By default, it's ``TLSv1_0``.
// Minimum TLS protocol version. By default, it's ``TLSv1_2`` for clients and ``TLSv1_0`` for
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FWIW, this is cool by the Envoy stable API versioning guidelines, since defaults are client specific; control planes that need stability must set explicit values.

// servers.
TlsProtocol tls_minimum_protocol_version = 1 [(validate.rules).enum = {defined_only: true}];

// Maximum TLS protocol version. By default, it's ``TLSv1_3`` for servers in non-FIPS builds, and
Expand Down
3 changes: 2 additions & 1 deletion api/envoy/api/v3alpha/auth/cert.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,8 @@ message TlsParameters {
TLSv1_3 = 4;
}

// Minimum TLS protocol version. By default, it's ``TLSv1_0``.
// Minimum TLS protocol version. By default, it's ``TLSv1_2`` for clients and ``TLSv1_0`` for
// servers.
TlsProtocol tls_minimum_protocol_version = 1 [(validate.rules).enum = {defined_only: true}];

// Maximum TLS protocol version. By default, it's ``TLSv1_3`` for servers in non-FIPS builds, and
Expand Down
1 change: 1 addition & 0 deletions docs/root/intro/version_history.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,7 @@ Version history
<envoy_api_field_config.filter.network.tcp_proxy.v2.TcpProxy.idle_timeout>` is now 1 hour.
* thrift_proxy: fix crashing bug on invalid transport/protocol framing
* tls: added verification of IP address SAN fields in certificates against configured SANs in the
* tls: remove TLS 1.0 and 1.1 from client defaults
* tracing: added support to the Zipkin reporter for sending list of spans as Zipkin JSON v2 and protobuf message over HTTP.
certificate validation context.
* tracing: added tags for gRPC response status and message.
Expand Down
2 changes: 1 addition & 1 deletion source/extensions/transport_sockets/tls/context_config_impl.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -273,7 +273,7 @@ unsigned ContextConfigImpl::tlsVersionFromProto(
NOT_REACHED_GCOVR_EXCL_LINE;
}

const unsigned ClientContextConfigImpl::DEFAULT_MIN_VERSION = TLS1_VERSION;
const unsigned ClientContextConfigImpl::DEFAULT_MIN_VERSION = TLS1_2_VERSION;
const unsigned ClientContextConfigImpl::DEFAULT_MAX_VERSION = TLS1_2_VERSION;

const std::string ClientContextConfigImpl::DEFAULT_CIPHER_SUITES =
Expand Down
12 changes: 8 additions & 4 deletions test/extensions/transport_sockets/tls/ssl_socket_test.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3328,17 +3328,21 @@ TEST_P(SslSocketTest, ProtocolVersions) {
server_params->clear_tls_minimum_protocol_version();
server_params->clear_tls_maximum_protocol_version();

// Connection using defaults (client) and TLSv1.0 (server) succeeds.
TestUtilOptionsV2 unsupported_protocol_test_options(listener, client, false, GetParam());
unsupported_protocol_test_options.setExpectedServerStats("ssl.connection_error")
.setExpectedTransportFailureReasonContains("UNSUPPORTED_PROTOCOL");

// Connection using defaults (client) and TLSv1.0 (server) fails.
server_params->set_tls_minimum_protocol_version(envoy::api::v2::auth::TlsParameters::TLSv1_0);
server_params->set_tls_maximum_protocol_version(envoy::api::v2::auth::TlsParameters::TLSv1_0);
testUtilV2(tls_v1_test_options);
testUtilV2(unsupported_protocol_test_options);
server_params->clear_tls_minimum_protocol_version();
server_params->clear_tls_maximum_protocol_version();

// Connection using defaults (client) and TLSv1.1 (server) succeeds.
// Connection using defaults (client) and TLSv1.1 (server) fails.
server_params->set_tls_minimum_protocol_version(envoy::api::v2::auth::TlsParameters::TLSv1_1);
server_params->set_tls_maximum_protocol_version(envoy::api::v2::auth::TlsParameters::TLSv1_1);
testUtilV2(tls_v1_1_test_options);
testUtilV2(unsupported_protocol_test_options);
server_params->clear_tls_minimum_protocol_version();
server_params->clear_tls_maximum_protocol_version();

Expand Down