Request for TLS 1.2

[neolunar7]

Is your feature request related to a problem? Please describe.
According to the link https://www.boundaryproject.io/docs/concepts/security/connections-tls, there seems to be only support for TLS 1.3. However, when using AWS ALB as a load balancer in front of Boundary, TLS related error arises. I posted the issue on https://discuss.hashicorp.com/t/boundary-connect-ssh-throwing-failed-to-websocket-dial-error/21609. I can resolve this issue by changing the ClusterIP service type to NodePort service type, bypassing the LoadBalancer and directly accessing the pod.

Describe the solution you'd like
Boundary TLS only supports 1.3, but this is not consistent with the cloud provider settings. (I use AWS, and don't know about other providers) If we can select between TLS 1.2 and 1.3, it would be really helpful.

Describe alternatives you've considered
None

Explain any additional use-cases
None

Additional context
None

[malnick]

Thanks for posting this @neolunar7 and sorry for the tardy response. This sounds like a good request, and I'll work on getting it added to our road map. It does look like AWS released support for 1.3 in CloudFront, but looking at ELB's it appears they're still only on 1.2 as you noted.

[jefferai]

We don't support TLS protocol decoding between the client and proxy. (We may in the future to allow you to use your own client certs, but don't now.) We use a tightly-controlled ephemeral TLS stack for every proxy connection; see https://www.boundaryproject.io/docs/concepts/security/connections-tls#client-to-worker-tls

Even if we allowed TLS 1.2, you wouldn't be able to use it with ALB because you wouldn't have any way to get the CA cert or server cert generated just for that single session.

[jefferai]

Closing due to lack of response.