Fixing incorrect default TLS min and TLS max versions #5480
Conversation
|
|
|
wondering if just using the crypto/tls defaults of TLS1.2 as client and TLS1.0 as server for min_version, and TLS1.3 as max_version would be a better solution. This would require otelcol to not set a default value for "min_version" and "max_version" during its creation of tls.Config. Default in crypto/tls crypto/tls function that sets the allowed TLS versions |
Codecov Report
@@ Coverage Diff @@
## main #5480 +/- ##
=======================================
Coverage 91.29% 91.29%
=======================================
Files 191 191
Lines 11291 11292 +1
=======================================
+ Hits 10308 10309 +1
Misses 782 782
Partials 201 201
Continue to review full report at Codecov.
|
config/configtls/configtls.go
Outdated
| // Setting default TLS minVersion | ||
| if c.MinVersion == "" { | ||
| c.MinVersion = "1.0" | ||
| } | ||
| // Setting default TLS maxVersion | ||
| if c.MaxVersion == "" { | ||
| c.MaxVersion = "1.3" | ||
| } |
There was a problem hiding this comment.
We should adopt the same guarantees as the golang TLS (I looked at their config, and here is what I found):
package tls
type Config struct {
// By default, TLS 1.2 is currently used as the minimum when acting as a
// client, and TLS 1.0 when acting as a server. TLS 1.0 is the minimum
// supported by this package, both as a client and as a server.
MinVersion uint16
// By default, the maximum version supported by this package is used,
// which is currently TLS 1.3.
MaxVersion uint16
}Currently we are enforcing "1.2" as min/max:
- Increasing max on both client/server is backwards compatible since supposedly greater version is more secure.
- Decreasing min on the server (backend) is backwards, allows more clients to connect.
- Decreasing min on the client is not OK I think, since that may result in a connection established with lower security guarantees.
@tigrannajaryan @codeboten do you have an opinion here?
There was a problem hiding this comment.
@bogdandrutu your analysis look correct to me. So, essentially you are saying that we want:
- On clients if MinVersion is missing then set it to 1.2.
- On servers if MinVersion is missing then set it to 1.0.
- Both on clients and servers if MaxVersion is missing then set it to 1.3.
There was a problem hiding this comment.
Not setting a default value at all crypto/tls will handle the TLS minVersion and maxVersions for us. Should I proceed with updating the PR?
There was a problem hiding this comment.
Not setting a default value at all crypto/tls will handle the TLS minVersion and maxVersions for us. Should I proceed with updating the PR?
That's a good point. Just pass the zero values and let crypto/tl handle the defaults.
There was a problem hiding this comment.
I've updated the PR so that we do not add a default via opentelemetry, crypto/tls will handle the default TLS versions.
There was a problem hiding this comment.
My understand is that this PR is about fixing the defaults to match the default of what the Go's standard library defines, so let's keep it that way. The code in this PR looks correct to me as it is.
If we want to require higher version number than Go's standard library then it is best to discuss it in in a separate issue/PR.
There was a problem hiding this comment.
I agree that we should follow the Go standard library approach, but it's important to clarify what Go version we are talking about. As discussed in golang/go/issues/45428, and as can be seen in golang/go@035963c the situation differs depending on the Go version:
- In Go 1.17, the default is TLS 1.0 for both the client and the server
- In Go 1.18+, the default is TLS 1.2 for the client and TLS 1.0 for the server
So this PR will mean
- a downgrade on the server min version for binaries compiled with all Go versions
- a downgrade in the client min version when used in a binary compiled with Go 1.17
Are we fine with that? I would feel more comfortable switching to build the official binaries with Go 1.18 first and after that doing this change, so that we don't decrease the client min version, but I don't feel very strongly about this
There was a problem hiding this comment.
This change just delegates to the golang compiler/vm to pick the min/max TLS. Am I wrong? We are already building the binaries with golang 1.8 (see https://github.com/open-telemetry/opentelemetry-collector-releases/blob/main/.github/workflows/ci-goreleaser.yaml#L35), but we have "go 1.17" in the go.mod. Does that mean that the min version is 1.0?
There was a problem hiding this comment.
Oh, I didn't realize we were already using Go 1.18 on the official binaries. Then I believe regardless of what go.mod says, this will not mean a change on the official binaries, so I feel like doing this is okay
There was a problem hiding this comment.
Just rebased the PR to main, is there anything blocking this PR now? I'll be happy to follow through with the changes.
The reason to block this PR is fixed, still comments that need to be resolve.
|
@tigrannajaryan @bogdandrutu please review and approve the PR if your concerns have been addressed. |
| @@ -36,10 +36,11 @@ won't use TLS at all. | |||
|
|
|||
| Minimum and maximum TLS version can be set: | |||
|
|
|||
| - `min_version` (default = "1.2"): Minimum acceptable TLS version. | |||
| It's recommended to use at least 1.2 as the minimum version. | |||
| - `min_version` (default = "" handled by [crypto/tls](https://github.com/golang/go/blob/master/src/crypto/tls/common.go#L694)): Minimum acceptable TLS version. | |||
There was a problem hiding this comment.
As I understood it, 1.0 is used as the default version on the server-side. This is not what we want here, on a newer server/library: the recommendation for a few years has been already to default to 1.2 as the minimum version, allowing users to use 1.0 or SSLvX only when absolutely needed.
Description: Fixing a bug, default TLS version and description does not match
Link to tracking Issue: #5430