Skip to content

feat(tls): add configurable TLS security profile [Backport release/0.5.z]#2406

Merged
ctron merged 2 commits into
release/0.5.zfrom
backport-2385-to-release/0.5.z
Jun 18, 2026
Merged

feat(tls): add configurable TLS security profile [Backport release/0.5.z]#2406
ctron merged 2 commits into
release/0.5.zfrom
backport-2385-to-release/0.5.z

Conversation

@trustify-ci-bot

@trustify-ci-bot trustify-ci-bot Bot commented Jun 17, 2026

Copy link
Copy Markdown

Description

Backport of #2385 to release/0.5.z.

Summary by Sourcery

Add configurable TLS security profiles to the HTTP server and expose related configuration via CLI and environment variables.

New Features:

  • Introduce TLS security profiles (old, intermediate, modern, custom) and minimum TLS version options for the HTTP server.
  • Support custom TLS cipher lists and ciphersuites when using a custom TLS profile.

Enhancements:

  • Default the HTTP server to the Modern TLS profile and log the active TLS profile when TLS is enabled.
  • Centralize TLS acceptor construction based on the selected security profile.

Documentation:

  • Document new HTTP server TLS environment variables for security profile, minimum TLS version, and custom cipher configuration.

Tests:

  • Add tests covering the default TLS profile, validation of custom profile requirements, and acceptance of all supported TLS profiles.

jcrossley3 and others added 2 commits June 17, 2026 17:52
Replace the hardcoded mozilla_modern_v5 (TLS 1.3 only) SSL acceptor with
a configurable TLS security profile aligned with OpenShift TLS Security
Profiles. The new --http-server-tls-security-profile flag supports four
profiles: old (TLS 1.0+), intermediate (TLS 1.2+, new default), modern
(TLS 1.3 only), and custom (user-defined min version and cipher suites).

This changes the default from Modern to Intermediate to match the
OpenShift default and broaden client compatibility.

Implements TC-3426

Assisted-by: Claude Code
(cherry picked from commit 5764a31)
Change the default TLS security profile from intermediate (TLS 1.2+)
to modern (TLS 1.3 only), preserving the existing security posture.
Operators who need broader compatibility can opt in to a less
restrictive profile via HTTP_SERVER_TLS_SECURITY_PROFILE.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
(cherry picked from commit 01eb2bf)
@sourcery-ai

sourcery-ai Bot commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

Reviewer's Guide

Backports configurable TLS security profiles to the HTTP server, adding CLI/env configuration for TLS profiles and custom TLS parameters, wiring them into the OpenSSL acceptor, and documenting the new environment variables with tests to validate behavior.

Sequence diagram for configuring TLS security profile in HTTP server

sequenceDiagram
    actor User
    participant HttpServerConfig
    participant HttpServerBuilder
    participant build_ssl_acceptor
    participant SslAcceptor

    User->>HttpServerConfig: set tls_enabled, tls_security_profile, tls_min_version, tls_ciphers, tls_ciphersuites
    User->>HttpServerBuilder: HttpServerBuilder::try_from(HttpServerConfig)
    activate HttpServerBuilder
    HttpServerBuilder->>HttpServerBuilder: [tls_enabled]
    alt profile is Custom and tls_min_version is None
        HttpServerBuilder-->>User: Err(anyhow!("Custom TLS profile requires --http-server-tls-min-version"))
    else valid TLS config
        HttpServerBuilder->>HttpServerBuilder: tls(TlsConfiguration)
        HttpServerBuilder-->>User: Ok(HttpServerBuilder)
        deactivate HttpServerBuilder

        User->>HttpServerBuilder: build()
        activate HttpServerBuilder
        HttpServerBuilder->>build_ssl_acceptor: build_ssl_acceptor(&TlsConfiguration)
        activate build_ssl_acceptor
        alt security_profile is Old
            build_ssl_acceptor->>SslAcceptor: SslAcceptor::mozilla_intermediate_v5
            build_ssl_acceptor->>SslAcceptor: set_min_proto_version(None)
        else security_profile is Intermediate
            build_ssl_acceptor->>SslAcceptor: SslAcceptor::mozilla_intermediate_v5
        else security_profile is Modern
            build_ssl_acceptor->>SslAcceptor: SslAcceptor::mozilla_modern_v5
        else security_profile is Custom
            build_ssl_acceptor->>SslAcceptor: SslAcceptor::mozilla_intermediate_v5
            opt custom min_version
                build_ssl_acceptor->>TlsMinVersion: to_ssl_version()
                build_ssl_acceptor->>SslAcceptor: set_min_proto_version(SslVersion)
            end
            opt custom ciphers
                build_ssl_acceptor->>SslAcceptor: set_cipher_list(ciphers)
            end
            opt custom ciphersuites
                build_ssl_acceptor->>SslAcceptor: set_ciphersuites(ciphersuites)
            end
        end
        build_ssl_acceptor-->>HttpServerBuilder: SslAcceptorBuilder
        deactivate build_ssl_acceptor
        HttpServerBuilder-->>User: running HTTPS server
        deactivate HttpServerBuilder
    end
Loading

File-Level Changes

Change Details Files
Introduce TLS security profile and minimum TLS version enums and expose them as configurable HTTP server options.
  • Add TlsSecurityProfile and TlsMinVersion enums implementing clap::ValueEnum and fmt::Display for CLI/env parsing and logging.
  • Extend HttpServerConfig with tls_security_profile, tls_min_version, tls_ciphers, and tls_ciphersuites fields and clap argument metadata.
  • Update HttpServerConfig::default to set Modern as the default TLS security profile.
common/infrastructure/src/app/http.rs
Wire TLS profile and custom parameters into TLS configuration and OpenSSL acceptor initialization.
  • Extend TlsConfiguration to carry TLS profile, min version, and cipher configuration.
  • Add validation that a Custom TLS profile requires a configured minimum TLS version.
  • Introduce build_ssl_acceptor helper that configures SslAcceptor according to the selected TLS profile and optional custom parameters and use it in HttpServerBuilder instead of the previous hard-coded modern profile.
  • Improve TLS logging to include the active TLS security profile.
common/infrastructure/src/app/http.rs
Add tests and documentation for the new TLS configuration options.
  • Add unit tests verifying default profile is Modern, Custom requires min_version, all named profiles are accepted, and Custom with min_version is accepted.
  • Document new HTTP_SERVER_TLS_* environment variables for TLS ciphers, ciphersuites, min version, and security profile in env-vars.md.
common/infrastructure/src/app/http.rs
docs/env-vars.md

Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've left some high level feedback:

  • The validation error for a custom TLS profile ("Custom TLS profile requires --http-server-tls-min-version") is flag-specific; consider rewording to mention both the CLI flag and the HTTP_SERVER_TLS_MIN_VERSION env var (or just “a minimum TLS version”) to better match all configuration entry points.
  • Requiring tls_min_version for the Custom TLS profile even when only custom cipher lists are provided is a bit rigid; consider allowing a custom profile with just ciphers/ciphersuites configured and treating tls_min_version as optional in that case.
Prompt for AI Agents
Please address the comments from this code review:

## Overall Comments
- The validation error for a custom TLS profile (`"Custom TLS profile requires --http-server-tls-min-version"`) is flag-specific; consider rewording to mention both the CLI flag and the `HTTP_SERVER_TLS_MIN_VERSION` env var (or just “a minimum TLS version”) to better match all configuration entry points.
- Requiring `tls_min_version` for the `Custom` TLS profile even when only custom cipher lists are provided is a bit rigid; consider allowing a custom profile with just ciphers/ciphersuites configured and treating `tls_min_version` as optional in that case.

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

@ctron
ctron added this pull request to the merge queue Jun 18, 2026
Merged via the queue into release/0.5.z with commit f98b19b Jun 18, 2026
6 checks passed
@ctron
ctron deleted the backport-2385-to-release/0.5.z branch June 18, 2026 08:08
@github-project-automation github-project-automation Bot moved this to Done in Trustify Jun 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: Done

Development

Successfully merging this pull request may close these issues.

2 participants