-
Notifications
You must be signed in to change notification settings - Fork 44
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: bump default TLS version to TLS v1.2 #121
Conversation
Let's hold off on merging this until we have have sanity checked that this won't do anything surprising when Beats, Elastic Agent, and Fleet Server are eventually updated with this change. In particular we need to verify that an Elastic Agent defaulting to TLS v1.2 can connect to a Fleet Server defaulting to TLS v1.1 and vice versa. The version negotiation should just work, but the downside and impact of being wrong about that is big enough that I don't want to assume there will be no problems. Let's actually test it first. |
Kudos, SonarCloud Quality Gate passed! 0 Bugs No Coverage information |
@cmacknz can you provide an update whether this is planned to make it into |
No progress on this, not a high priority for us yet. |
@pierrehilbert can we please make this a priority for one of the next upcoming sprints? As stated by @cmacknz we should test this and it will most probably work OOTB. |
As mentioned in #121 (comment), the work left to do on this PR now is testing the impact of the changes in this PR before we can be confident about merging it. Concretely, the following two tests will need to be performed: Agent using TLSv1.1 can talk to Fleet Server using TLSv1.2For this test, Elastic Agent will need to built without any changes to its dependencies. This will produce an Agent that's using TLSv1.1. Fleet Server will need to be built with it's Then it's a matter of enrolling the built Agent with the built Fleet Server and smoke testing that a few common operations in Fleet that would cause back-and-forth communication between Agent and Fleet Server work as expected. Agent using TLSv1.2 can talk to Fleet Server using TLSv1.1For this test, Elastic Agent will need to built with it's Fleet Server will need to be built without any changes to its dependencies. This will produce a Fleet Server that's using TLSv1.1. Then it's a matter of enrolling the built Agent with the built Fleet Server and smoke testing that a few common operations in Fleet that would cause back-and-forth communication between Agent and Fleet Server work as expected. |
this doesn't apply anymore now that we have |
We might want to release a new version before merging this so people can backport to 8.x, 7.x and call the insecure default func |
💚 Build Succeeded
History
cc @nchaulet |
Superseded by #264 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We've added tlscommon.SetInsecureDefaults()
so that users can restore previous behaviour (on 8.x branches).
This is already being used in beats, elastic-agent, and fleet-server
What does this PR do?
Bump the default TLS version to TLS v1.2 from TLS v1.1.
Support for TLS v1.1 is not removed for the sake of compatibility.
Why is it important?
Motivated from the work in APM Server toward bumping the default TLS version to 1.2: elastic/apm-server#10491
TLS v1.1. was formally deprecated in 2021 and is considered obsolete: https://datatracker.ietf.org/doc/html/rfc8996
Several standard and the NIST guidelines for TLS implementation recommends not using TLS 1.1 or lower.
Checklist
- [ ] I have commented my code, particularly in hard-to-understand areas- [ ] I have added an entry inCHANGELOG.md
Author's Checklist
Related issues
Related to elastic/apm-server#10491