etcd icon indicating copy to clipboard operation
etcd copied to clipboard

Published 20 hours ago verified publisher icon etcd-io

After the upgrade to 3.5.0, the TLS1.3 function is not supported when the etcd port is scanned.

Open redriverhong opened this issue 4 years ago • 11 comments

version: image config: image image

Port detection status: image image

but, old version(3.4.10) is ok: version: image config: image image Port detection status: image image

redriverhong avatar Nov 26 '21 02:11 redriverhong

I tried to reproduce the issue, but I didn't find an Etcd version that supports TLS1.3.

My setup

./bin/etcd-v3.4.10/etcd --auto-tls --peer-auto-tls   --listen-peer-urls=https://127.0.0.1:2380 --listen-client-urls=https://127.0.0.1:2379

I tested 3.5.1, 3.4.16, 3.4.10 Strange is that golang 1.12 should support TLS1.3 so maybe my methodology is not correct. Please let me know if I missed something

serathius avatar Nov 26 '21 10:11 serathius

Found this issue that mentions TLS1.3 is supported 3.4.4+ https://github.com/etcd-io/etcd/issues/11692

serathius avatar Nov 26 '21 11:11 serathius

Ok, I have reproduced the issue. On v3.4 I needed to provide GODEBUG=tls13=1 for TLS1.3 to work. However this no longer works on v3.5.1

serathius avatar Nov 26 '21 11:11 serathius

Answer Etcd set max TLS to 1.2

https://github.com/etcd-io/etcd/blob/7572a61a39d4eaad596ab8d9364f7df9a84ff4a3/client/pkg/transport/listener.go#L503

serathius avatar Nov 26 '21 11:11 serathius

PR https://github.com/etcd-io/etcd/pull/11110

Looks like the reason is that cipher suites are no longer configurable in TLS1.3 cc @gyuho for more context

serathius avatar Nov 26 '21 11:11 serathius

Overall answer is that Etcd never officially supported TLS1.3, however it was possible in v3.4 to enable it by using a golang debug flag GODEBUG=tls13=1. This no longer an option in v3.5.

I think we can consider enabling TLS1.3, however I don't think that lack support in v3.5 is nesesery a bug. cc @ptabor @hexfusion to confirm

serathius avatar Nov 26 '21 11:11 serathius

While this is not a bug, I think there should be a way to configure support for TLS 1.3.

redriverhong avatar Nov 26 '21 15:11 redriverhong

This issue has been automatically marked as stale because it has not had recent activity. It will be closed after 21 days if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Feb 26 '22 12:02 stale[bot]

bump

serathius avatar Feb 28 '22 09:02 serathius

also interested in seeing TLS 1.3 support.

side note: just encountered an issue where the use of a older version of a java library (didn't support TLS 1.2 I believe) resulted in issues connected to our etcd cluster. allowing developers to utilise 1.2 or 1.3 would be good since some apps may be built and not revisited for a while - if they get rebuilt with TLS 1.3 the likelihood of a revisit due to a change from 1.2 to 1.3 would not be needed).

donalhunt avatar May 13 '22 15:05 donalhunt

bump again

rensx5514 avatar Aug 18 '22 07:08 rensx5514

This issue has been automatically marked as stale because it has not had recent activity. It will be closed after 21 days if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Dec 31 '22 23:12 stale[bot]

Hi @ahrtr @serathius Is ETCD planning to add the support of TLSv1.3 in coming release ?

Thanks, Satya

IamSatyaonline avatar Jan 20 '23 13:01 IamSatyaonline

Noone is currently working on it. Contributions are welcomed!

serathius avatar Jan 20 '23 13:01 serathius

Is setting the min and max version configurable using config file?

NBK27 avatar Aug 14 '23 09:08 NBK27

Is setting the min and max version configurable using config file?

Hey @NBK27 - It works for me via the following:

tls-min-version: 'TLS1.2'
tls-max-version: 'TLS1.3'

I notice we don't include these fields in our example etcd configuration file so I'll raise a pr to update this.

jmhbnz avatar Aug 14 '23 20:08 jmhbnz