New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RFE] TLS 1.3 Support for Rancher Manager Ingress #42027
Comments
SURE-3166 |
QA TestingRoot causeRancher doesn't allow setting What was fixed, or what changes have occurredRancher's validation of the two settings now allows min version to be 1.3 and enforces 1.3 ciphers if the min version is 1.3. Areas or cases that should be testedWhat areas could experience regressions?StepsRun Rancher without changing TLS-related settings (as before)
Run Rancher by specifying
|
💪 Test Cases🚨 10 test cases... CLICK TO EXPAND! (For table links to work) ⬅️1 Start Rancher with only CATTLE_TLS_MIN_VERSION=1.3 Should Fail / Status: ✅ PASSTest 1 details... Click to expandTest Steps for Validation
provisioner "remote-exec" {
inline = [
"sudo apt update",
"sudo curl https://releases.rancher.com/install-docker/20.10.sh | sh",
"docker run -d --restart=unless-stopped -p 80:80 -p 443:443 --privileged -e CATTLE_BOOTSTRAP_PASSWORD=${var.rancher_bootstrap_password} -e CATTLE_TLS_MIN_VERSION=1.3 rancher/rancher:${var.rancher_instances[count.index].rancher_version} --acme-domain ${random_pet.random_pet[count.index].id}.${var.aws_route53_fqdn}",
]
} ✅ Expected Outcome For there to be an error message in the logs and Rancher not to start. ✅ Actual Outcome Error logs to be present and Rancher didn't come up active 2 Run Rancher Without Specifying CATTLE_TLS_MIN_VERSION / Status: ✅ PASSTest 2 details... Click to expandTest Steps for Validation
✅ Expected Outcome For Rancher to startup and function without issue ✅ Actual Outcome No issues observed 3 Run with CATTLE_TLS_MIN_VERSION & CATTLE_TLS_CIPHERS / Status: ✅ PASSTest 3 details... Click to expandTest Steps for Validation
provisioner "remote-exec" {
inline = [
"sudo apt update",
"sudo curl https://releases.rancher.com/install-docker/20.10.sh | sh",
"docker run -d --restart=unless-stopped -p 80:80 -p 443:443 --privileged -e CATTLE_BOOTSTRAP_PASSWORD=${var.rancher_bootstrap_password} -e CATTLE_TLS_MIN_VERSION=1.3 -e CATTLE_TLS_CIPHERS=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384 rancher/rancher:${var.rancher_instances[count.index].rancher_version} --acme-domain ${random_pet.random_pet[count.index].id}.${var.aws_route53_fqdn}",
]
}
✅ Expected Outcome No error logs regarding tls and Rancher working as expected. ✅ Actual Outcome No errors observed in logs regarding tls, Rancher was working as expected. 4 Run with CATTLE_TLS_MIN_VERSION & Wrong CATTLE_TLS_CIPHERS / Status: ✅ PASSTest 4 details... Click to expandTest Steps for Validation
provisioner "remote-exec" {
inline = [
"sudo apt update",
"sudo curl https://releases.rancher.com/install-docker/20.10.sh | sh",
"docker run -d --restart=unless-stopped -p 80:80 -p 443:443 --privileged -e CATTLE_BOOTSTRAP_PASSWORD=${var.rancher_bootstrap_password} -e CATTLE_TLS_MIN_VERSION=1.3 -e CATTLE_TLS_CIPHERS=TLS_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 rancher/rancher:${var.rancher_instances[count.index].rancher_version} --acme-domain ${random_pet.random_pet[count.index].id}.${var.aws_route53_fqdn}",
]
} ✅ Expected Outcome Rancher should fail to start and error with a message about needing the correct cipher. ✅ Actual Outcome Rancher failed to start and was erroring about needing a set list of ciphers. 5 Upgrade / Status: ✅ PASSTest 5 details... Click to expandTest Steps for Validation
✅ Expected Outcome Rancher to be usable after upgrading from v2.7.7 to v2.8-head and providing
✅ Actual Outcome Rancher comes up active after upgrade and is usable. No warnings seen for TLS cipher. 6 Unsupported TLS Versions (TLS 1.0 and TLS 1.1) / Status: ✅ PASSTest 6 details... Click to expandTest Steps for Validation
✅ Expected Outcome Expected these values to fail ✅ Actual Outcome Values failed as expected The values failed 7 Install Rancher without Explicit TLS Version and with TLS 1.3 Ciphers: / Status: ✅ PASSTest 7 details... Click to expandTest Steps for Validation
✅ Expected Outcome For this fail ✅ Actual Outcome Failed as expected 8 Upgrade with CATTLE_TLS_MIN_VERSION=1.3 (Expecting Failure): Attempt to upgrade Rancher with CATTLE_TLS_MIN_VERSION set to 1.3, and ensure that it fails. / Status: ✅ PASSTest 8 details... Click to expandTest Steps for Validation
✅ Expected Outcome Should fail ✅ Actual Outcome Failed as expected
9 Upgrade Without Specifying CATTLE_TLS_MIN_VERSION: Perform an upgrade without CATTLE_TLS_MIN_VERSION and verify that the default value of tls-min-version is correctly set to 1.2. / Status: ✅ PASSTest 9 details... Click to expandTest Steps for Validation
✅ Expected Outcome For upgrade to pass without passing tls or ciphers and for default version to be 1.2 ✅ Actual Outcome Upgrade passed without passing tls or ciphers and the default version 1.2 10 Upgrade with CATTLE_TLS_MIN_VERSION and Incorrect CATTLE_TLS_CIPHERS: Attempt an upgrade with CATTLE_TLS_MIN_VERSION set to 1.3 and wrong or unsupported CATTLE_TLS_CIPHERS. Verify that the upgrade fails / Status: ✅ PASSTest 10 details... Click to expandTest Steps for Validation
✅ Expected Outcome For this to fail ✅ Actual Outcome Failed as expected |
Currently we do not support TLS 1.3 and a customer is asking that we do. Some applications that are part of the cluster could have TLS 1.3 enabled but doing so can end up breaking things.
The business case is that we will eventually have to do this once TLS v1.3 adoption will at some point eclipse TLS v1.2
Versions to be dropped:
TLS 1.0 and TLS 1.1
Support to TLS 1.0 and TLS 1.1 must be dropped. These versions are considered insecure and were deprecated in 2021, see RFC 8996.
The deprecation must happen and be supported in all places and services used by Rancher:
Source code - https://github.com/rancher/rancher/blob/release/v2.7/pkg/tls/base.go#L17-L21.
Single Docker install / Helm install / Ingress - https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/installation-references/tls-settings.
The configuration must be applied to all TLS services started by Rancher.
Versions to be maintained: TLS 1.2
In the same places listed above.
Versions to be added: TLS 1.3
In the same places listed above.
Notes
Regarding the ciphers to be supported by both TLS 1.2 and 1.3, we should use the compatible list provided by Cloudflare. Cloudfare’s list aligns with Go's ciphers for TLS 1.3. Those ciphers offer a good compromise between client compatibility and security. Old or legacy ciphers must not be supported.
Ingress' default TLS configuration might have to be tailored according to the listed ciphers.
When a PR is ready for review, the Security team will run a TLS scan to confirm that all Rancher's TLS related services/ports do properly support TLS 1.2 and 1.3 and disallow TLS 1.0 and 1.1.
Would be good to get feedback from Product regarding if we should completely remove TLS 1.0 and 1.1 or deprecate them first, giving that this might impact customers (in case we have customers actually using those versions in their environments).
The changes must be release noted.
The text was updated successfully, but these errors were encountered: