-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change default TLS options for more security #8951
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kevinpollet
added
status/2-needs-review
kind/bug/fix
a bug fix
area/tls
and removed
status/0-needs-triage
labels
Apr 20, 2022
ddtmachado
force-pushed
the
tls-defaults
branch
2 times, most recently
from
April 21, 2022 12:40
ac95e09
to
6ef6c77
Compare
rtribotte
added
kind/enhancement
a new or improved feature.
and removed
kind/bug/fix
a bug fix
labels
May 18, 2022
rtribotte
approved these changes
Sep 8, 2022
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 👌
ldez
approved these changes
Sep 8, 2022
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
juliens
approved these changes
Sep 8, 2022
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
1 task
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Change the default TLS Options for more security while maintaining compatibility with most clients
Motivation
golang/go#45428
Fixes #6756
Go will remove support for TLS 1.0 and 1.1 soon, so I think it's better if we prepare in advance by changing the default values and then adding a notice on the deprecations page.
Plus lots of complaints about Traefik not being secure enough out of the box, from the TLS perspective.
More
Additional Notes
On this PR I trust that Go will keep an up to date list of secure ciphers during its lifecycle, then the tests with static values will ensure we notice when things change so we don't break compatibility without notice.