-
Notifications
You must be signed in to change notification settings - Fork 88
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(socket) change LuaSec ssl_protocol default options #103
Conversation
cd42c1d
to
67dcd04
Compare
cc: @thibaultcha |
The underlying LuaSec SSL library allows for setting the encryption protocol to 'any' [1]. When set as such, the client negotiates the highest encryption protocol available. This `any` protocol version setting is widely in use in the luasec repository [2]. In addition, this change limits the lowest allowable ssl protocol version to a version not less than TLSv1.1. In support of the above, the implementation is two-fold: - add no_sslv2, no_sslv3, and no_tlsv1 LuaSec options similar to what has been done in lua-cassandra [3] - set default LuaSec ssl_protocol to 'any' also similar to what has been done in lua-cassandra [4] [1] - https://github.com/brunoos/luasec/blob/711a98b7605ad87b521ba607024947113bc1f527/CHANGELOG#L101 [2] - https://github.com/brunoos/luasec/search?q=protocol+%3D+%22any%22 [3] - thibaultcha/lua-cassandra@b6dff88 [4] - thibaultcha/lua-cassandra@d742d5c Signed-off-by: Jeremy J. Miller <jeremy.miller@konghq.com> disable prefer server ciphers Signed-off-by: Jeremy J. Miller <jeremy.miller@konghq.com>
67dcd04
to
61a1f2c
Compare
Looks good to me, thanks for getting the tests working. Tell me if you're good for the merge. |
I wanted to do some triple checking with a product I'm working on (Kong) and this change. Everything checks out. With this change I can connect to PG9.5 and PG13 instances using TLSV1.1, TLSV1.2 and TLSV1.3 (in PG13). When trying to connect with TLSv1 or lower you will get: I think this is ready for a merge. Thank you! |
Thanks for the patch, I'll push out a new versioned number shortly |
tball: Updating for 1.14 code base
tball: Updating for 1.14 code base
The underlying LuaSec SSL library allows for setting the encryption protocol
to 'any' [1]. When set as such, the client negotiates the highest
encryption protocol available. This
any
protocol version setting iswidely in use in the luasec repository [2].
In addition, this change limits the lowest allowable ssl protocol
version to a version not less than TLSv1.1.
In support of the above, the implementation is two-fold:
has been done in lua-cassandra [3]
been done in lua-cassandra [4]
[1] - https://github.com/brunoos/luasec/blob/711a98b7605ad87b521ba607024947113bc1f527/CHANGELOG#L101
[2] - https://github.com/brunoos/luasec/search?q=protocol+%3D+%22any%22
[3] - thibaultcha/lua-cassandra@b6dff88
[4] - thibaultcha/lua-cassandra@d742d5c
Signed-off-by: Jeremy J. Miller jeremy.miller@konghq.com