Skip to content

Commit

Permalink
Support for TLS v1.3 (opensearch-project#5133)
Browse files Browse the repository at this point in the history
* feat: adds support for TLSv1.3

Signed-off-by: Kajetan Nobel <kajetan.nobel@eliatra.com>

* feat: update changelog

Signed-off-by: Kajetan Nobel <kajetan.nobel@eliatra.com>

---------

Signed-off-by: Kajetan Nobel <kajetan.nobel@eliatra.com>
Signed-off-by: Willie Hung <willie880201044@gmail.com>
  • Loading branch information
kajetan-nobel authored and willie-hung committed Oct 12, 2023
1 parent 5b73895 commit 2fc19bb
Show file tree
Hide file tree
Showing 6 changed files with 27 additions and 11 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
- [CVE-2019-11358] Bump version of tinygradient from 0.4.3 to 1.1.5 ([#4742](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/4742))
- [CVE-2021-3520] Bump `lmdb` from `2.8.0` to `2.8.5` ([#4804](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/4804))
- Remove examples and other unwanted artifacts from installed dependencies ([#4896](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/4896))
- Add support for TLS v1.3 ([#5133](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/5133))

### 📈 Features/Enhancements

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -105,7 +105,7 @@ const createStartContractMock = () => {
keyConfigured: false,
keystoreConfigured: false,
redirectHttpFromPortConfigured: false,
supportedProtocols: ['TLSv1.1', 'TLSv1.2'],
supportedProtocols: ['TLSv1.1', 'TLSv1.2', 'TLSv1.3'],
truststoreConfigured: false,
},
xsrf: {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -163,6 +163,7 @@ describe('CoreUsageDataService', () => {
"supportedProtocols": Array [
"TLSv1.1",
"TLSv1.2",
"TLSv1.3",
],
"truststoreConfigured": false,
},
Expand Down

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

23 changes: 15 additions & 8 deletions src/core/server/http/ssl_config.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -277,14 +277,19 @@ describe('#sslSchema', () => {
certificate: '/path/to/certificate',
enabled: true,
key: '/path/to/key',
supportedProtocols: ['TLSv1', 'TLSv1.1', 'TLSv1.2'],
supportedProtocols: ['TLSv1', 'TLSv1.1', 'TLSv1.2', 'TLSv1.3'],
};

const singleKnownProtocolConfig = sslSchema.validate(singleKnownProtocol);
expect(singleKnownProtocolConfig.supportedProtocols).toEqual(['TLSv1']);

const allKnownProtocolsConfig = sslSchema.validate(allKnownProtocols);
expect(allKnownProtocolsConfig.supportedProtocols).toEqual(['TLSv1', 'TLSv1.1', 'TLSv1.2']);
expect(allKnownProtocolsConfig.supportedProtocols).toEqual([
'TLSv1',
'TLSv1.1',
'TLSv1.2',
'TLSv1.3',
]);
});

test('rejects unknown protocols`', () => {
Expand All @@ -299,21 +304,23 @@ describe('#sslSchema', () => {
certificate: '/path/to/certificate',
enabled: true,
key: '/path/to/key',
supportedProtocols: ['TLSv1', 'TLSv1.1', 'TLSv1.2', 'SOMEv100500'],
supportedProtocols: ['TLSv1', 'TLSv1.1', 'TLSv1.2', 'TLSv1.3', 'SOMEv100500'],
};

expect(() => sslSchema.validate(singleUnknownProtocol)).toThrowErrorMatchingInlineSnapshot(`
"[supportedProtocols.0]: types that failed validation:
- [supportedProtocols.0.0]: expected value to equal [TLSv1]
- [supportedProtocols.0.1]: expected value to equal [TLSv1.1]
- [supportedProtocols.0.2]: expected value to equal [TLSv1.2]"
- [supportedProtocols.0.2]: expected value to equal [TLSv1.2]
- [supportedProtocols.0.3]: expected value to equal [TLSv1.3]"
`);
expect(() => sslSchema.validate(allKnownWithOneUnknownProtocols))
.toThrowErrorMatchingInlineSnapshot(`
"[supportedProtocols.3]: types that failed validation:
- [supportedProtocols.3.0]: expected value to equal [TLSv1]
- [supportedProtocols.3.1]: expected value to equal [TLSv1.1]
- [supportedProtocols.3.2]: expected value to equal [TLSv1.2]"
"[supportedProtocols.4]: types that failed validation:
- [supportedProtocols.4.0]: expected value to equal [TLSv1]
- [supportedProtocols.4.1]: expected value to equal [TLSv1.1]
- [supportedProtocols.4.2]: expected value to equal [TLSv1.2]
- [supportedProtocols.4.3]: expected value to equal [TLSv1.3]"
`);
});
});
Expand Down
10 changes: 8 additions & 2 deletions src/core/server/http/ssl_config.ts
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ const protocolMap = new Map<string, number>([
['TLSv1', cryptoConstants.SSL_OP_NO_TLSv1],
['TLSv1.1', cryptoConstants.SSL_OP_NO_TLSv1_1],
['TLSv1.2', cryptoConstants.SSL_OP_NO_TLSv1_2],
['TLSv1.3', cryptoConstants.SSL_OP_NO_TLSv1_3],
]);

export const sslSchema = schema.object(
Expand All @@ -67,8 +68,13 @@ export const sslSchema = schema.object(
}),
redirectHttpFromPort: schema.maybe(schema.number()),
supportedProtocols: schema.arrayOf(
schema.oneOf([schema.literal('TLSv1'), schema.literal('TLSv1.1'), schema.literal('TLSv1.2')]),
{ defaultValue: ['TLSv1.1', 'TLSv1.2'], minSize: 1 }
schema.oneOf([
schema.literal('TLSv1'),
schema.literal('TLSv1.1'),
schema.literal('TLSv1.2'),
schema.literal('TLSv1.3'),
]),
{ defaultValue: ['TLSv1.1', 'TLSv1.2', 'TLSv1.3'], minSize: 1 }
),
clientAuthentication: schema.oneOf(
[schema.literal('none'), schema.literal('optional'), schema.literal('required')],
Expand Down

0 comments on commit 2fc19bb

Please sign in to comment.