Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove server support for TLS 1.0 and 1.1 #50

Merged
merged 1 commit into from
Feb 28, 2018
Merged

Remove server support for TLS 1.0 and 1.1 #50

merged 1 commit into from
Feb 28, 2018

Conversation

justincormack
Copy link
Member

This should not be needed any more and is not recommended.

Signed-off-by: Justin Cormack justin.cormack@docker.com

@justincormack
Copy link
Member Author

cc @n4ss

@n4ss
Copy link
Contributor

n4ss commented Feb 22, 2018
edited
Loading

I think that go-connections is used pretty much everywhere by docker, and some clients (ex: homebrew's docker-compose between ] Snow Leopard ; Sierra ]) do not support TLS > 1.0 yet because of the super old OpenSSL version (0.9.8) that is linked with the default macOS python.

This is why I added modifiers on the default config generators: 5bd7d32

That way we can set the min TLS version project-by-project / product-by-product accordingly to back-compatibility.

ps: I created a PR for homebrew's formula

@justincormack
Copy link
Member Author

For Docker for Mac (which may only support 10.11 and 1.12 now?) we can ship compose linked against any version we like. That is also what Apple seems to recommend anyway. For self install most people use homebrew, which has later versions. So I think we should fix this in compose.

@dperny
Copy link

dperny commented Feb 23, 2018

Is there any good reason to keep around TLSv1.1 as the minimum version as opposed to just going straight to TLSv1.2. I don't know of any clients that support 1.1 and not 1.2

@justincormack
Copy link
Member Author

justincormack commented Feb 27, 2018
edited
Loading

Yes, happy to remove 1.1 at the same time. Amended.

@justincormack justincormack changed the title Remove server support for TLS1.0 Remove server support for TLS 1.0 and 1.1 Feb 27, 2018
@justincormack
Remove server support for TLS 1.0 and TLS 1.1
eed1c49 
This should not be needed any more and is not recommended.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
@cyli
Copy link
Contributor

cyli commented Feb 27, 2018
edited
Loading

@n4ss @justincormack Possibly docker-compose and docker-py may support TLS>1.2 - at least, if it's pip install-ed with the TLS it should: docker/docker-py#1563.

@cyli
Copy link
Contributor

cyli commented Feb 28, 2018

LGTM

@n4ss
Copy link
Contributor

n4ss commented Feb 28, 2018

lgtm

thaJeztah
thaJeztah approved these changes Feb 28, 2018
View reviewed changes
Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

vdemeester
vdemeester approved these changes Feb 28, 2018
View reviewed changes
Copy link
Collaborator

@vdemeester vdemeester left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🐸

@vdemeester vdemeester merged commit 7395e3f into docker:master Feb 28, 2018
@thaJeztah thaJeztah mentioned this pull request Mar 1, 2018
Merged
@justincormack justincormack deleted the no-tls10 branch March 13, 2018 14:39
@thaJeztah thaJeztah mentioned this pull request Mar 17, 2018
Open
@jsaalfeld jsaalfeld mentioned this pull request Nov 14, 2018
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vdemeester vdemeester vdemeester approved these changes

@thaJeztah thaJeztah thaJeztah approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@justincormack @n4ss @dperny @cyli @vdemeester @thaJeztah