feat: bump default TLS version to TLS v1.2 #121
Conversation
kruskall
requested review from
belimawr and
pierrehilbert
and removed request for
a team
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
🤖 GitHub commentsExpand to view the GitHub comments
To re-run your PR in the CI, just comment with:
|
|
Let's hold off on merging this until we have have sanity checked that this won't do anything surprising when Beats, Elastic Agent, and Fleet Server are eventually updated with this change. In particular we need to verify that an Elastic Agent defaulting to TLS v1.2 can connect to a Fleet Server defaulting to TLS v1.1 and vice versa. The version negotiation should just work, but the downside and impact of being wrong about that is big enough that I don't want to assume there will be no problems. Let's actually test it first. |
|
Kudos, SonarCloud Quality Gate passed!
|
|
@cmacknz can you provide an update whether this is planned to make it into |
|
No progress on this, not a high priority for us yet. |
|
@pierrehilbert can we please make this a priority for one of the next upcoming sprints? As stated by @cmacknz we should test this and it will most probably work OOTB. |
|
As mentioned in #121 (comment), the work left to do on this PR now is testing the impact of the changes in this PR before we can be confident about merging it. Concretely, the following two tests will need to be performed: Agent using TLSv1.1 can talk to Fleet Server using TLSv1.2For this test, Elastic Agent will need to built without any changes to its dependencies. This will produce an Agent that's using TLSv1.1. Fleet Server will need to be built with it's Then it's a matter of enrolling the built Agent with the built Fleet Server and smoke testing that a few common operations in Fleet that would cause back-and-forth communication between Agent and Fleet Server work as expected. Agent using TLSv1.2 can talk to Fleet Server using TLSv1.1For this test, Elastic Agent will need to built with it's Fleet Server will need to be built without any changes to its dependencies. This will produce a Fleet Server that's using TLSv1.1. Then it's a matter of enrolling the built Agent with the built Fleet Server and smoke testing that a few common operations in Fleet that would cause back-and-forth communication between Agent and Fleet Server work as expected. |
💚 Build Succeeded
History
cc @nchaulet |
What does this PR do?
Bump the default TLS version to TLS v1.2 from TLS v1.1.
Support for TLS v1.1 is not removed for the sake of compatibility.
Why is it important?
Motivated from the work in APM Server toward bumping the default TLS version to 1.2: elastic/apm-server#10491
TLS v1.1. was formally deprecated in 2021 and is considered obsolete: https://datatracker.ietf.org/doc/html/rfc8996
Several standard and the NIST guidelines for TLS implementation recommends not using TLS 1.1 or lower.
Checklist
- [ ] I have commented my code, particularly in hard-to-understand areas- [ ] I have added an entry inCHANGELOG.mdAuthor's Checklist
Related issues
Related to elastic/apm-server#10491