beats icon indicating copy to clipboard operation
beats copied to clipboard
verified publisher icon elastic

[Elastic Agent] Remove TLS 1.1 from a default allowed protocol

Open joshbressers opened this issue 5 years ago • 12 comments

Today our default supported protocols for beats are TLS 1.1, 1.2, and 1.3

TLS 1.1 has been deprecated by a number of standards bodies and is generally considered to be unsafe.

Now that TLS 1.3 is widely deployed and supported I would like to discuss removing TLS 1.1 as a protocol we support by default. I think there is value in keeping the support configurable, there are likely some users who still need TLS 1.1 support for one reason or another. But I would expect users to explicitly enable TLS 1.1.

This would be a breaking change, we should discuss this in the context of removing TLS 1.1 by default only for 8.0.

joshbressers avatar Jul 09 '20 15:07 joshbressers

cc @simitt

joshbressers avatar Jul 09 '20 15:07 joshbressers

Pinging @elastic/integrations (Team:Integrations)

elasticmachine avatar Jul 09 '20 20:07 elasticmachine

:100: for disabling it by default.

For 7.9/10 we could add a big ERROR/WARNING log message if we detect a connection that uses TLS1.1 and ssl_version setting has not been configured. But personally I'd be in favor to disable TLS 1.1 by default in the 7.x release cycle.

urso avatar Jul 09 '20 20:07 urso

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

botelastic[bot] avatar Jun 13 '21 15:06 botelastic[bot]

@urso can this be removed as default for integrations in 7.x?

simitt avatar Jun 14 '21 05:06 simitt

Hi! We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

botelastic[bot] avatar Jun 14 '22 05:06 botelastic[bot]

This slipped through the cracks, and I think we should do it.

@cmacknz would you have any concerns about making this change within 8.x? It would be breaking, but for a very small minority. Seems worthwhile for the improved default security.

axw avatar Mar 20 '23 09:03 axw

Pinging @elastic/elastic-agent (Team:Elastic-Agent)

elasticmachine avatar Mar 20 '23 19:03 elasticmachine

No concerns doing this in 8.x, security is a valid reason for a breaking change. We shouldn't be exploitable by default.

I'll look to get this prioritized across the Beats/Elastic Agent/Fleet server products as there a few requests for this to be removed.

cmacknz avatar Mar 20 '23 19:03 cmacknz

Hi! We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

botelastic[bot] avatar Mar 19 '24 20:03 botelastic[bot]

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

elasticmachine avatar Apr 29 '24 15:04 elasticmachine

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)

elasticmachine avatar Apr 29 '24 15:04 elasticmachine