configtls: TLS 1.2 is the new default min version #4503
Conversation
Signed-off-by: Juraci Paixão Kröhling <[email protected]>
Signed-off-by: Juraci Paixão Kröhling <[email protected]>
Codecov Report
@@ Coverage Diff @@
## main #4503 +/- ##
=======================================
Coverage 90.67% 90.67%
=======================================
Files 179 179
Lines 10414 10414
=======================================
Hits 9443 9443
Misses 755 755
Partials 216 216
Continue to review full report at Codecov.
|
| @@ -178,7 +178,7 @@ func (c TLSServerSetting) LoadTLSConfig() (*tls.Config, error) { | |||
|
|
|||
| func convertVersion(v string) (uint16, error) { | |||
| if v == "" { | |||
| return 0, nil // default | |||
| return tls.VersionTLS12, nil // default | |||
There was a problem hiding this comment.
Breaking change in the CHANGELOG?
There was a problem hiding this comment.
Is this a breaking change, though? I wouldn't expect any OpenTelemetry Collector setup to break because of this change. Only setups using very old firewalls/load balancers would break, causing the operator to have the need to specify a lower version.
There was a problem hiding this comment.
If folks relied on TLS < 1.2, then upgrading to this new collector would break their deployments.
There was a problem hiding this comment.
relied on TLS
Right, but this is the part that I find unlikely: who's relying on TLS nowadays? I can only think of legacy applications that were built a long time ago when 1.2 wasn't available as part of the underlying TLS libraries (openssl and alike). Everything around it, like routers, proxies, and load balancers likely support 1.2 already. Given that the collector is the piece that sits behind a proxy/router/load balancer, and we know it supports 1.2, I find it highly unlikely we'll have problems.
If you think it's worth being extra-cautious, I can send in a PR that moves this entry to the breaking change part.
Addresses CWE-327 by setting the minimum TLS version to 1.2. Lower versions can still be set for backwards compatibility with older network appliances, although I don't think any of them are that old to still not have 1.2 available.
Signed-off-by: Juraci Paixão Kröhling [email protected]