-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(server): Enforce TLS >= v1.2 #5172
Conversation
Signed-off-by: Alex Collins <alex_collins@intuit.com>
Signed-off-by: Alex Collins <alex_collins@intuit.com>
Signed-off-by: Alex Collins <alex_collins@intuit.com>
@@ -87,8 +88,13 @@ See %s`, help.ArgoSever), | |||
if secure { | |||
cer, err := tls.LoadX509KeyPair("argo-server.crt", "argo-server.key") | |||
errors.CheckError(err) | |||
// InsecureSkipVerify will not impact the TLS listener. It is needed for the server to speak to itself for GRPC. | |||
tlsConfig = &tls.Config{Certificates: []tls.Certificate{cer}, InsecureSkipVerify: true} | |||
tlsMinVersion, err := env.GetInt("TLS_MIN_VERSION", tls.VersionTLS12) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This ENV needs to be documented somewhere.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
errors.CheckError(err) | ||
tlsConfig = &tls.Config{ | ||
Certificates: []tls.Certificate{cer}, | ||
InsecureSkipVerify: false, // InsecureSkipVerify will not impact the TLS listener. It is needed for the server to speak to itself for GRPC. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Curious why changing to false
still works for self-signed CERT.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is because HTTP connections loop back to GRPC, so we need, this
Signed-off-by: Alex Collins <alex_collins@intuit.com>
Signed-off-by: Alex Collins <alex_collins@intuit.com>
|
Signed-off-by: Alex Collins <alex_collins@intuit.com>
@whynowy fixed. Ready for review. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@simster7 I think we should be avoiding back-porting features to v3.0 to now and only do bugs. This is an exception to that mind you. |
Signed-off-by: Alex Collins <alex_collins@intuit.com>
Before:
After: