Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Configurable option for TLS version between envoy and contour #3518

Closed
movikbence opened this issue Mar 26, 2021 · 5 comments · Fixed by #4065
Closed

Configurable option for TLS version between envoy and contour #3518

movikbence opened this issue Mar 26, 2021 · 5 comments · Fixed by #4065
Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/feature Categorizes issue or PR as related to a new feature. lifecycle/needs-triage Indicates that an issue needs to be triaged by a project contributor.
Milestone
1.20.0

Comments

@movikbence
Copy link

Hi

I asked a question on slack, if it is possible to set the minimum version of TLS between envoy and contour. I got that answer that in the moment it is not. I think it would be nice to have that.

Thank you for taking into consideration.

Br,
Bence
@movikbence movikbence added kind/feature Categorizes issue or PR as related to a new feature. lifecycle/needs-triage Indicates that an issue needs to be triaged by a project contributor. labels Mar 26, 2021
@youngnick
Copy link
Member

This seems like a reasonable feature. Out of curiosity @movikbence, what do you want to set the TLS version to?

@movikbence
Copy link
Author

since that is is 1.2 now, I would like to have 1.3

@youngnick
Copy link
Member

This is definitely a reasonable feature, so I'll mark it as a "help-wanted" one. Thanks for this request @movikbence!

@youngnick youngnick added the help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. label Apr 6, 2021
@tsaarni
Copy link
Member

tsaarni commented Sep 23, 2021

Would some users need still TLS 1.2 or would it be possible to go with TLS 1.3 only, without configurability? As long as we are serving only Envoy's, forcing TLS 1.3 as minimum could work as well for any (reasonable) version of Envoy?

Also, xref #3574 #4024 that looks for global TLS settings.

@youngnick
Copy link
Member

That's a great point, and worth doing, as long as we document the new cipher requirements TLS 1.3 brings.

@tsaarni tsaarni mentioned this issue Sep 30, 2021
Merged
2 tasks
@youngnick youngnick modified the milestones: 1.19.0, 1.20.0 Oct 7, 2021
tsaarni added a commit to Nordix/contour that referenced this issue Oct 7, 2021
@tsaarni
internal/envoy: Allow TLSv1.3 for xDS connection.
8d6eda0 
This change sets the maximum TLS version to TLSv1.3 in the Envoy bootstrap
config for the xDS connection.  It means that TLSv1.3 will be selected from
now on, since Contour already accepts TLSv1.3.

Previously Envoy defaulted to TLSv1.2 for the xDS connection.

Updates projectcontour#3518

Signed-off-by: Tero Saarni <[email protected]>
@tsaarni tsaarni mentioned this issue Oct 7, 2021
Merged
tsaarni added a commit to Nordix/contour that referenced this issue Oct 7, 2021
@tsaarni
internal/envoy: Allow TLSv1.3 for xDS connection.
df55e02 
This change sets the maximum TLS version to TLSv1.3 in the Envoy bootstrap
config for the xDS connection.  It means that TLSv1.3 will be selected from
now on, since Contour already accepts TLSv1.3.

Previously Envoy defaulted to TLSv1.2 for the xDS connection.

Updates projectcontour#3518

Signed-off-by: Tero Saarni <[email protected]>
skriss pushed a commit that referenced this issue Oct 7, 2021
@tsaarni
internal/envoy: Allow TLSv1.3 for xDS connection. (#4081)
7963cce 
This change sets the maximum TLS version to TLSv1.3 in the Envoy bootstrap
config for the xDS connection.  It means that TLSv1.3 will be selected from
now on, since Contour already accepts TLSv1.3.

Previously Envoy defaulted to TLSv1.2 for the xDS connection.

Updates #3518

Signed-off-by: Tero Saarni <[email protected]>
@stevesloka stevesloka moved this to Todo in Contour Oct 26, 2021
Repository owner moved this from Todo to Done in Contour Nov 9, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/feature Categorizes issue or PR as related to a new feature. lifecycle/needs-triage Indicates that an issue needs to be triaged by a project contributor.
Projects
Contour
Archived in project
Milestone
1.20.0
Development

Successfully merging a pull request may close this issue.

cmd/contour: Update to TLS 1.3 for xDS between Contour and Envoy Nordix/contour
3 participants
@tsaarni @youngnick @movikbence