diff --git a/src/core/server/core_usage_data/core_usage_data_service.mock.ts b/src/core/server/core_usage_data/core_usage_data_service.mock.ts index 5e1bcbe7867b..ae6326a8c2e9 100644 --- a/src/core/server/core_usage_data/core_usage_data_service.mock.ts +++ b/src/core/server/core_usage_data/core_usage_data_service.mock.ts @@ -105,7 +105,7 @@ const createStartContractMock = () => { keyConfigured: false, keystoreConfigured: false, redirectHttpFromPortConfigured: false, - supportedProtocols: ['TLSv1.1', 'TLSv1.2'], + supportedProtocols: ['TLSv1.1', 'TLSv1.2', 'TLSv1.3'], truststoreConfigured: false, }, xsrf: { diff --git a/src/core/server/core_usage_data/core_usage_data_service.test.ts b/src/core/server/core_usage_data/core_usage_data_service.test.ts index ff3b0f1a1134..7e28a74b98de 100644 --- a/src/core/server/core_usage_data/core_usage_data_service.test.ts +++ b/src/core/server/core_usage_data/core_usage_data_service.test.ts @@ -163,6 +163,7 @@ describe('CoreUsageDataService', () => { "supportedProtocols": Array [ "TLSv1.1", "TLSv1.2", + "TLSv1.3", ], "truststoreConfigured": false, }, diff --git a/src/core/server/http/__snapshots__/http_config.test.ts.snap b/src/core/server/http/__snapshots__/http_config.test.ts.snap index 70c8abf4ed7a..120299b6a349 100644 --- a/src/core/server/http/__snapshots__/http_config.test.ts.snap +++ b/src/core/server/http/__snapshots__/http_config.test.ts.snap @@ -78,6 +78,7 @@ Object { "supportedProtocols": Array [ "TLSv1.1", "TLSv1.2", + "TLSv1.3", ], "truststore": Object {}, }, diff --git a/src/core/server/http/ssl_config.test.ts b/src/core/server/http/ssl_config.test.ts index db83e44e282b..e1331f74e6ba 100644 --- a/src/core/server/http/ssl_config.test.ts +++ b/src/core/server/http/ssl_config.test.ts @@ -277,14 +277,19 @@ describe('#sslSchema', () => { certificate: '/path/to/certificate', enabled: true, key: '/path/to/key', - supportedProtocols: ['TLSv1', 'TLSv1.1', 'TLSv1.2'], + supportedProtocols: ['TLSv1', 'TLSv1.1', 'TLSv1.2', 'TLSv1.3'], }; const singleKnownProtocolConfig = sslSchema.validate(singleKnownProtocol); expect(singleKnownProtocolConfig.supportedProtocols).toEqual(['TLSv1']); const allKnownProtocolsConfig = sslSchema.validate(allKnownProtocols); - expect(allKnownProtocolsConfig.supportedProtocols).toEqual(['TLSv1', 'TLSv1.1', 'TLSv1.2']); + expect(allKnownProtocolsConfig.supportedProtocols).toEqual([ + 'TLSv1', + 'TLSv1.1', + 'TLSv1.2', + 'TLSv1.3', + ]); }); test('rejects unknown protocols`', () => { @@ -299,21 +304,23 @@ describe('#sslSchema', () => { certificate: '/path/to/certificate', enabled: true, key: '/path/to/key', - supportedProtocols: ['TLSv1', 'TLSv1.1', 'TLSv1.2', 'SOMEv100500'], + supportedProtocols: ['TLSv1', 'TLSv1.1', 'TLSv1.2', 'TLSv1.3', 'SOMEv100500'], }; expect(() => sslSchema.validate(singleUnknownProtocol)).toThrowErrorMatchingInlineSnapshot(` "[supportedProtocols.0]: types that failed validation: - [supportedProtocols.0.0]: expected value to equal [TLSv1] - [supportedProtocols.0.1]: expected value to equal [TLSv1.1] -- [supportedProtocols.0.2]: expected value to equal [TLSv1.2]" +- [supportedProtocols.0.2]: expected value to equal [TLSv1.2] +- [supportedProtocols.0.3]: expected value to equal [TLSv1.3]" `); expect(() => sslSchema.validate(allKnownWithOneUnknownProtocols)) .toThrowErrorMatchingInlineSnapshot(` -"[supportedProtocols.3]: types that failed validation: -- [supportedProtocols.3.0]: expected value to equal [TLSv1] -- [supportedProtocols.3.1]: expected value to equal [TLSv1.1] -- [supportedProtocols.3.2]: expected value to equal [TLSv1.2]" +"[supportedProtocols.4]: types that failed validation: +- [supportedProtocols.4.0]: expected value to equal [TLSv1] +- [supportedProtocols.4.1]: expected value to equal [TLSv1.1] +- [supportedProtocols.4.2]: expected value to equal [TLSv1.2] +- [supportedProtocols.4.3]: expected value to equal [TLSv1.3]" `); }); }); diff --git a/src/core/server/http/ssl_config.ts b/src/core/server/http/ssl_config.ts index 8887c14a13e4..8fc725ca937e 100644 --- a/src/core/server/http/ssl_config.ts +++ b/src/core/server/http/ssl_config.ts @@ -41,6 +41,7 @@ const protocolMap = new Map([ ['TLSv1', cryptoConstants.SSL_OP_NO_TLSv1], ['TLSv1.1', cryptoConstants.SSL_OP_NO_TLSv1_1], ['TLSv1.2', cryptoConstants.SSL_OP_NO_TLSv1_2], + ['TLSv1.3', cryptoConstants.SSL_OP_NO_TLSv1_3], ]); export const sslSchema = schema.object( @@ -67,8 +68,13 @@ export const sslSchema = schema.object( }), redirectHttpFromPort: schema.maybe(schema.number()), supportedProtocols: schema.arrayOf( - schema.oneOf([schema.literal('TLSv1'), schema.literal('TLSv1.1'), schema.literal('TLSv1.2')]), - { defaultValue: ['TLSv1.1', 'TLSv1.2'], minSize: 1 } + schema.oneOf([ + schema.literal('TLSv1'), + schema.literal('TLSv1.1'), + schema.literal('TLSv1.2'), + schema.literal('TLSv1.3'), + ]), + { defaultValue: ['TLSv1.1', 'TLSv1.2', 'TLSv1.3'], minSize: 1 } ), clientAuthentication: schema.oneOf( [schema.literal('none'), schema.literal('optional'), schema.literal('required')],