boulder icon indicating copy to clipboard operation
boulder copied to clipboard
verified publisher icon letsencrypt

config: Update minimum TLS version from 1.2 to 1.3

Open beautifulentropy opened this issue 1 year ago • 3 comments

  • Set the minimum TLS version used for communication with gRPC, Redis, and Unbound to 1.3.
  • Remove deprecated SecurityVersion setting in clientTransportCredentials and serverTransportCredentials, as grpc-go now depends on the settings provided by the tls.Config.

beautifulentropy avatar Apr 29 '24 19:04 beautifulentropy

We previously considered this change in #6600, but stuck with a minimum version of 1.2 to avoid deployability issues. For more information, see this comment.

Credit to @pgporada for finding this.

beautifulentropy avatar Apr 29 '24 19:04 beautifulentropy

For DOH, Unbound has long since supported TLS 1.3 (due to openssl v1.1.1/openssl v3.x in LTS Ubuntu).

pgporada avatar Apr 29 '24 19:04 pgporada

For DOH, Unbound has long since supported TLS 1.3 (due to openssl v1.1.1/openssl v3.x in LTS Ubuntu).

Similarly with Redis, we updated it's config to use TLS v1.3 in #6600 at the request of SRE.

beautifulentropy avatar Apr 29 '24 19:04 beautifulentropy

LGTM, once we confirm and document in the PR description that this should not affect the minimum TLS version negotiated by the TLS-ALPN-01 method and the HTTP-01 method when redirected to an https:// address.

Good call, here's the relevant code: https://github.com/letsencrypt/boulder/blob/9f2a27e03b380cbfc10a707b840059dded927a00/va/tlsalpn.go#L213-L217 https://github.com/letsencrypt/boulder/blob/9f2a27e03b380cbfc10a707b840059dded927a00/va/http.go#L148

beautifulentropy avatar Apr 30 '24 16:04 beautifulentropy

http-01 and tls-alpn-01 are each performed with distinct tls.Configs and won't be affected by this change.

pgporada avatar Apr 30 '24 16:04 pgporada