Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support TLS minVersion and maxVersion in opa server so that it can disable TLS 1.0 and 1.1 #3226

Closed
shaoxt opened this issue Mar 5, 2021 · 4 comments · Fixed by #3517
Closed

Support TLS minVersion and maxVersion in opa server so that it can disable TLS 1.0 and 1.1 #3226

shaoxt opened this issue Mar 5, 2021 · 4 comments · Fixed by #3517

Comments

@shaoxt
Copy link

shaoxt commented Mar 5, 2021

Expected Behavior

OPA server should allow to disable TLS 1.0 and 1.1 by either configuration or argument.

Actual Behavior

HTTPS server supports the TLS minVersion and maxVersion, but opa server doesn't expose them in arguments or configuration.

Steps to Reproduce the Problem

Any OPA version.

Additional Info
@srenatus
Copy link
Contributor

srenatus commented Mar 6, 2021

That's a great idea. Thanks for bringing it up.

@srenatus
Copy link
Contributor

We could also default to denying 1.0 and 1.1 unless configured otherwise. What's the use of a max version here? I'm not sure i understand the situation where you'd want to restrict the upper bound 🤔

@kale-amruta
Copy link
Contributor

@srenatus @anderseknert is this something that I can take up ?

@anderseknert
Copy link
Member

@kale-amruta I don't see why not 😃 As @srenatus said I don't know if a max version is really needed, but a new --tls-min-version option seems useful to me.

@kale-amruta kale-amruta mentioned this issue May 31, 2021
Merged
kale-amruta pushed a commit to kale-amruta/opa that referenced this issue Jun 29, 2021
@kale-amruta
Support for minimum TLS version
b68e2f8 
Opa server now supports min TLS version, TLS versions supported are 1.0, 1.1, 1.2, 1.3.
Since TLS 1.0 and 1.1 are deprecated, default min TLS version for opa is TLS 1.2 but
if someone wants to restrict opa to use a specific minimum TLS version, they can specify it using cmd parameter --min-tls-version

fixes open-policy-agent#3226
Signed-off-by: Amruta Kale <[email protected]>
srenatus pushed a commit that referenced this issue Jun 30, 2021
@kale-amruta
server: minimum TLS version configuration, default to 1.2 (#3517)
55db837 
* Support for minimum TLS version

OPA server now supports min TLS version, TLS versions supported are 1.0, 1.1, 1.2, 1.3.

Since TLS 1.0 and 1.1 are deprecated, default min TLS version for OPA is TLS 1.2 but
if someone wants to restrict OPA to use a specific minimum TLS version, they can
specify it using cmd parameter `--min-tls-version`.

Fixes #3226.

Signed-off-by: Amruta Kale <[email protected]>
juliafriedman8 pushed a commit to juliafriedman8/opa that referenced this issue Jul 13, 2021
@kale-amruta @juliafriedman8
server: minimum TLS version configuration, default to 1.2 (open-polic…
3512f7f 
…y-agent#3517)

* Support for minimum TLS version

OPA server now supports min TLS version, TLS versions supported are 1.0, 1.1, 1.2, 1.3.

Since TLS 1.0 and 1.1 are deprecated, default min TLS version for OPA is TLS 1.2 but
if someone wants to restrict OPA to use a specific minimum TLS version, they can
specify it using cmd parameter `--min-tls-version`.

Fixes open-policy-agent#3226.

Signed-off-by: Amruta Kale <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Support for minimum TLS version for opa server kale-amruta/opa
4 participants
@anderseknert @srenatus @shaoxt @kale-amruta