-
Notifications
You must be signed in to change notification settings - Fork 63
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Force the use of secure TLS config #873
Conversation
Codecov Report
@@ Coverage Diff @@
## main #873 +/- ##
==========================================
- Coverage 79.04% 78.48% -0.57%
==========================================
Files 129 132 +3
Lines 9245 9471 +226
==========================================
+ Hits 7308 7433 +125
- Misses 1706 1784 +78
- Partials 231 254 +23
Continue to review full report at Codecov.
|
5a24a5c
to
8e667f7
Compare
53b8b72
to
c67c205
Compare
c67c205
to
029d6db
Compare
This change updates the TLS config used by all pinniped components. There are no configuration knobs associated with this change. Thus this change tightens our static defaults. There are four TLS config levels: 1. Secure (TLS 1.3 only) 2. Default (TLS 1.2+ best ciphers that are well supported) 3. Default LDAP (TLS 1.2+ with less good ciphers) 4. Legacy (currently unused, TLS 1.2+ with all non-broken ciphers) Highlights per component: 1. pinniped CLI - uses "secure" config against KAS - uses "default" for all other connections 2. concierge - uses "secure" config as an aggregated API server - uses "default" config as a impersonation proxy API server - uses "secure" config against KAS - uses "default" config for JWT authenticater (mostly, see code) - no changes to webhook authenticater (see code) 3. supervisor - uses "default" config as a server - uses "secure" config against KAS - uses "default" config against OIDC IDPs - uses "default LDAP" config against LDAP IDPs Signed-off-by: Monis Khan <mok@vmware.com>
029d6db
to
cd686ff
Compare
Error message when compiled with an older version of Go:
|
This change updates the TLS config used by all pinniped components.
There are no configuration knobs associated with this change. Thus
this change tightens our static defaults.
There are four TLS config levels:
Highlights per component:
Signed-off-by: Monis Khan mok@vmware.com
Release note: