-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
security/advancedtls: add min/max TLS version option #5797
Conversation
44117b5
to
fca2b97
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please make sure to add tests where the client uses a version under the server's min and over the server's max, and the reverse for server/client.
This PR is labeled as requiring an update from the reporter, and no update has been received after 6 days. If no update is provided in the next 7 days, this issue will be automatically closed. |
In regards to the comments for testing client-server behavior, It would require setting up a real server, and I thought probably it would be better to do it in the integration tests. Would it be fine if we submit that in a separate PR? |
I would prefer to include tests for functionality in the same PR that adds that functionality, unless there are very strong reasons not to (e.g. this feature is urgently needed and the tests will take too long to write). |
This PR is labeled as requiring an update from the reporter, and no update has been received after 6 days. If no update is provided in the next 7 days, this issue will be automatically closed. |
@dfawley Done with adding the integration tests. Would you mind taking a look again? Thank you so much! |
{ | ||
desc: "Good TLS version settings", | ||
clientMinVersion: tls.VersionTLS12, | ||
clientMaxVersion: tls.VersionTLS13, | ||
serverMinVersion: tls.VersionTLS12, | ||
serverMaxVersion: tls.VersionTLS13, | ||
expectError: false, | ||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For completeness, can you also add:
- client 12-13, server 12-12 (and/or 11-12)
- client 12-13, server 13-13 (and/or 13-14)
- server 12-13, client 12-12 (and/or 11-12)
- server 12-13, client 13-13 (and/or 13-14)
These should all pass IIUC?
This PR is labeled as requiring an update from the reporter, and no update has been received after 6 days. If no update is provided in the next 7 days, this issue will be automatically closed. |
Adding an "TlsVersionOption" for users to select their desired min/max TLS versions, if advanced TLS is used, per request by #5667
RELEASE NOTES: