Finalize support for TLSv1.3

elastic · Nov 11, 2020 · 5ffbd5b · 5ffbd5b
1 parent 9d9a1b8
commit 5ffbd5b
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 12 deletions.
diff --git a/docs/setup/settings.asciidoc b/docs/setup/settings.asciidoc
@@ -571,7 +571,7 @@ all http requests to https over the port configured as <<server-port, `server.po
 
 | `server.ssl.supportedProtocols:`
  | An array of supported protocols with versions.
-Valid protocols: `TLSv1`, `TLSv1.1`, `TLSv1.2`. *Default: TLSv1.1, TLSv1.2*
+Valid protocols: `TLSv1`, `TLSv1.1`, `TLSv1.2`, `TLSv1.3`. *Default: TLSv1.1, TLSv1.2, TLSv1.3*
 
 | [[settings-xsrf-whitelist]] `server.xsrf.whitelist:`
  | It is not recommended to disable protections for

diff --git a/src/core/server/http/ssl_config.test.ts b/src/core/server/http/ssl_config.test.ts
@@ -266,14 +266,19 @@ describe('#sslSchema', () => {
         certificate: '/path/to/certificate',
         enabled: true,
         key: '/path/to/key',
-        supportedProtocols: ['TLSv1', 'TLSv1.1', 'TLSv1.2'],
+        supportedProtocols: ['TLSv1', 'TLSv1.1', 'TLSv1.2', 'TLSv1.3'],
       };
 
       const singleKnownProtocolConfig = sslSchema.validate(singleKnownProtocol);
       expect(singleKnownProtocolConfig.supportedProtocols).toEqual(['TLSv1']);
 
       const allKnownProtocolsConfig = sslSchema.validate(allKnownProtocols);
-      expect(allKnownProtocolsConfig.supportedProtocols).toEqual(['TLSv1', 'TLSv1.1', 'TLSv1.2']);
+      expect(allKnownProtocolsConfig.supportedProtocols).toEqual([
+        'TLSv1',
+        'TLSv1.1',
+        'TLSv1.2',
+        'TLSv1.3',
+      ]);
     });
 
     test('rejects unknown protocols`', () => {
@@ -288,21 +293,23 @@ describe('#sslSchema', () => {
         certificate: '/path/to/certificate',
         enabled: true,
         key: '/path/to/key',
-        supportedProtocols: ['TLSv1', 'TLSv1.1', 'TLSv1.2', 'SOMEv100500'],
+        supportedProtocols: ['TLSv1', 'TLSv1.1', 'TLSv1.2', 'TLSv1.3', 'SOMEv100500'],
       };
 
       expect(() => sslSchema.validate(singleUnknownProtocol)).toThrowErrorMatchingInlineSnapshot(`
 "[supportedProtocols.0]: types that failed validation:
 - [supportedProtocols.0.0]: expected value to equal [TLSv1]
 - [supportedProtocols.0.1]: expected value to equal [TLSv1.1]
-- [supportedProtocols.0.2]: expected value to equal [TLSv1.2]"
+- [supportedProtocols.0.2]: expected value to equal [TLSv1.2]
+- [supportedProtocols.0.3]: expected value to equal [TLSv1.3]"
 `);
       expect(() => sslSchema.validate(allKnownWithOneUnknownProtocols))
         .toThrowErrorMatchingInlineSnapshot(`
-"[supportedProtocols.3]: types that failed validation:
-- [supportedProtocols.3.0]: expected value to equal [TLSv1]
-- [supportedProtocols.3.1]: expected value to equal [TLSv1.1]
-- [supportedProtocols.3.2]: expected value to equal [TLSv1.2]"
+"[supportedProtocols.4]: types that failed validation:
+- [supportedProtocols.4.0]: expected value to equal [TLSv1]
+- [supportedProtocols.4.1]: expected value to equal [TLSv1.1]
+- [supportedProtocols.4.2]: expected value to equal [TLSv1.2]
+- [supportedProtocols.4.3]: expected value to equal [TLSv1.3]"
 `);
     });
   });

diff --git a/src/core/server/http/ssl_config.ts b/src/core/server/http/ssl_config.ts
@@ -26,6 +26,8 @@ const protocolMap = new Map<string, number>([
   ['TLSv1', cryptoConstants.SSL_OP_NO_TLSv1],
   ['TLSv1.1', cryptoConstants.SSL_OP_NO_TLSv1_1],
   ['TLSv1.2', cryptoConstants.SSL_OP_NO_TLSv1_2],
+  // @ts-expect-error According to the docs SSL_OP_NO_TLSv1_3 should exist (https://nodejs.org/docs/latest-v12.x/api/crypto.html)
+  ['TLSv1.3', cryptoConstants.SSL_OP_NO_TLSv1_3],
 ]);
 
 export const sslSchema = schema.object(
@@ -52,8 +54,13 @@ export const sslSchema = schema.object(
     }),
     redirectHttpFromPort: schema.maybe(schema.number()),
     supportedProtocols: schema.arrayOf(
-      schema.oneOf([schema.literal('TLSv1'), schema.literal('TLSv1.1'), schema.literal('TLSv1.2')]),
-      { defaultValue: ['TLSv1.1', 'TLSv1.2'], minSize: 1 }
+      schema.oneOf([
+        schema.literal('TLSv1'),
+        schema.literal('TLSv1.1'),
+        schema.literal('TLSv1.2'),
+        schema.literal('TLSv1.3'),
+      ]),
+      { defaultValue: ['TLSv1.1', 'TLSv1.2', 'TLSv1.3'], minSize: 1 }
     ),
     clientAuthentication: schema.oneOf(
       [schema.literal('none'), schema.literal('optional'), schema.literal('required')],

diff --git a/src/dev/build/tasks/bin/scripts/kibana b/src/dev/build/tasks/bin/scripts/kibana
@@ -26,4 +26,4 @@ if [ -f "${CONFIG_DIR}/node.options" ]; then
   KBN_NODE_OPTS="$(grep -v ^# < ${CONFIG_DIR}/node.options | xargs)"
 fi
 
-NODE_OPTIONS="--no-warnings --max-http-header-size=65536 $KBN_NODE_OPTS $NODE_OPTIONS" NODE_ENV=production exec "${NODE}" "${DIR}/src/cli/dist" ${@}
+NODE_OPTIONS="--no-warnings --max-http-header-size=65536 --tls-min-v1.0 $KBN_NODE_OPTS $NODE_OPTIONS" NODE_ENV=production exec "${NODE}" "${DIR}/src/cli/dist" ${@}