TLS1.3 support

[redriverhong]

version:

config:

Port detection status：

but, old version(3.4.10) is ok:
version:

config:


Port detection status：

[serathius]

I tried to reproduce the issue, but I didn't find an Etcd version that supports TLS1.3.

My setup

./bin/etcd-v3.4.10/etcd --auto-tls --peer-auto-tls   --listen-peer-urls=https://127.0.0.1:2380 --listen-client-urls=https://127.0.0.1:2379

I tested 3.5.1, 3.4.16, 3.4.10
Strange is that golang 1.12 should support TLS1.3 so maybe my methodology is not correct. Please let me know if I missed something

[serathius]

Found this issue that mentions TLS1.3 is supported 3.4.4+ #11692

[serathius]

Ok, I have reproduced the issue. On v3.4 I needed to provide GODEBUG=tls13=1 for TLS1.3 to work. However this no longer works on v3.5.1

[serathius]

Answer Etcd set max TLS to 1.2

etcd/client/pkg/transport/listener.go

Line 503 in 7572a61

cfg.MaxVersion = tls.VersionTLS12

[serathius]

PR #11110

Looks like the reason is that cipher suites are no longer configurable in TLS1.3
cc @gyuho for more context

[serathius]

Overall answer is that Etcd never officially supported TLS1.3, however it was possible in v3.4 to enable it by using a golang debug flag GODEBUG=tls13=1. This no longer an option in v3.5.

I think we can consider enabling TLS1.3, however I don't think that lack support in v3.5 is nesesery a bug. cc @ptabor @hexfusion to confirm

[redriverhong]

While this is not a bug, I think there should be a way to configure support for TLS 1.3.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed after 21 days if no further activity occurs. Thank you for your contributions.

[serathius]

bump

[donalhunt]

also interested in seeing TLS 1.3 support.

side note: just encountered an issue where the use of a older version of a java library (didn't support TLS 1.2 I believe) resulted in issues connected to our etcd cluster. allowing developers to utilise 1.2 or 1.3 would be good since some apps may be built and not revisited for a while - if they get rebuilt with TLS 1.3 the likelihood of a revisit due to a change from 1.2 to 1.3 would not be needed).

[rensx5514]

bump again

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed after 21 days if no further activity occurs. Thank you for your contributions.

[IamSatyaonline]

Hi @ahrtr @serathius
Is ETCD planning to add the support of TLSv1.3 in coming release ?

Thanks,
Satya

[serathius]

Noone is currently working on it. Contributions are welcomed!

[NBK27]

Is setting the min and max version configurable using config file?

[jmhbnz]

Is setting the min and max version configurable using config file?

Hey @NBK27 - It works for me via the following:

tls-min-version: 'TLS1.2'
tls-max-version: 'TLS1.3'

I notice we don't include these fields in our example etcd configuration file so I'll raise a pr to update this.

[tjungblu]

it seems in #15156 we have missed out on setting the same min/max values for grpc proxy:
https://github.com/etcd-io/etcd/blob/main/server/etcdmain/grpc_proxy.go#L200-L223

cc @sanchezl

/reopen