letsencrypt
/
boulder
mirror of https://github.com/letsencrypt/boulder.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

config: Update minimum TLS version from 1.2 to 1.3 (#7457) 

Set the minimum TLS version used for communication with gRPC, Redis,
and Unbound to 1.3. Also remove deprecated `SecurityVersion` setting in
`clientTransportCredentials` and `serverTransportCredentials`, as
grpc-go now uses the settings provided by the `tls.Config`.

The http-01 and tls-alpn-01challenges are not affected:
- 939ac1be8f/va/http.go (L140-L157)
- 939ac1be8f/va/tlsalpn.go (L213-L217)
This commit is contained in:
Samantha 2024-04-30 12:45:39 -04:00 committed by GitHub
parent 939ac1be8f
commit 1d2dbbdf25
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 4 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
cmd/config.go
View File

@ -205,11 +205,8 @@ func (t *TLSConfig) Load(scope prometheus.Registerer) (*tls.Config, error) {
ClientCAs: rootCAs,
ClientAuth: tls.RequireAndVerifyClientCert,
Certificates: []tls.Certificate{cert},
// Set the only acceptable TLS to v1.2 and v1.3.
MinVersion: tls.VersionTLS12,
MaxVersion: tls.VersionTLS13,
// CipherSuites will be ignored for TLS v1.3.
CipherSuites: []uint16{tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305},
// Set the only acceptable TLS to v1.3.
MinVersion: tls.VersionTLS13,
}, nil
}

10
grpc/creds/creds.go
View File

@ -86,10 +86,7 @@ func (tc *clientTransportCredentials) ServerHandshake(rawConn net.Conn) (net.Con
// Info returns information about the transport protocol used
func (tc *clientTransportCredentials) Info() credentials.ProtocolInfo {
return credentials.ProtocolInfo{
SecurityProtocol: "tls",
SecurityVersion: "1.2", // We *only* support TLS 1.2
}
return credentials.ProtocolInfo{SecurityProtocol: "tls"}
}
// GetRequestMetadata returns nil, nil since TLS credentials do not have metadata.
@ -217,10 +214,7 @@ func (tc *serverTransportCredentials) ClientHandshake(ctx context.Context, addr
// Info provides the ProtocolInfo of this TransportCredentials.
func (tc *serverTransportCredentials) Info() credentials.ProtocolInfo {
return credentials.ProtocolInfo{
SecurityProtocol: "tls",
SecurityVersion: "1.2", // We *only* support TLS 1.2
}
return credentials.ProtocolInfo{SecurityProtocol: "tls"}
}
// GetRequestMetadata returns nil, nil since TLS credentials do not have metadata.