Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Configurable TLS cipher suites and versions; disallow weak ciphers #4269

Merged
merged 4 commits into from
May 11, 2018
Merged

Configurable TLS cipher suites and versions; disallow weak ciphers #4269

merged 4 commits into from
May 11, 2018

Conversation

chelseakomlo
Copy link
Contributor

@chelseakomlo chelseakomlo commented May 8, 2018
edited
Loading

By default, TLS 1.2 and a subset of safe ciphers are allowed. If operators want to enable TLS 1.0 and unsafe ciphers, this can be done via the agent configuration.

@chelseakomlo chelseakomlo changed the title [WIP] Allow configurable TLS cipher suites; disallow weak ciphers Allow configurable TLS cipher suites; disallow weak ciphers May 9, 2018
@chelseakomlo chelseakomlo changed the title Allow configurable TLS cipher suites; disallow weak ciphers [WIP] Allow configurable TLS cipher suites; disallow weak ciphers May 9, 2018
@chelseakomlo
allow configurable cipher suites
0f46208 
disallow 3DES and RC4 ciphers

add documentation for tls_cipher_suites
@chelseakomlo chelseakomlo changed the title [WIP] Allow configurable TLS cipher suites; disallow weak ciphers [WIP] Configurable TLS cipher suites and versions; disallow weak ciphers May 9, 2018
@chelseakomlo chelseakomlo changed the title [WIP] Configurable TLS cipher suites and versions; disallow weak ciphers Configurable TLS cipher suites and versions; disallow weak ciphers May 9, 2018
dadgar
dadgar requested changes May 9, 2018
View reviewed changes
nomad/server.go Outdated
tlsConf := tlsutil.NewTLSConfiguration(newTLSConfig)
tlsConf, err := tlsutil.NewTLSConfiguration(newTLSConfig)
if err != nil {
return err
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the error is logged by the caller we should log here

website/source/docs/agent/configuration/tls.html.md

- `tls_min_version` - Specifies the minimum supported version of TLS. Accepted
values are "tls10", "tls11", "tls12". Defaults to TLS 1.2.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any reason we aren't also exposing: https://www.consul.io/docs/agent/options.html#tls_prefer_server_cipher_suites

Copy link
Contributor Author

@chelseakomlo chelseakomlo May 10, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wanted to keep the PR minimal to make reviewing simpler, I could add this in a follow up PR.

@chelseakomlo chelseakomlo merged commit 31c2198 into master May 11, 2018
@chelseakomlo chelseakomlo deleted the f-tls-remove-weak-standards branch May 11, 2018 12:11
@github-actions
Copy link

github-actions bot commented Mar 4, 2023

I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 4, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@dadgar dadgar dadgar approved these changes

@preetapan preetapan Awaiting requested review from preetapan

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@chelseakomlo @dadgar