Skip to content

Issue deprecation warning if TLSv1.0 is used without explicit config #37788

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Jan 29, 2019
Merged

Issue deprecation warning if TLSv1.0 is used without explicit config #37788

merged 8 commits into from
Jan 29, 2019

Conversation

@tvernum
Copy link
Contributor

@tvernum tvernum commented Jan 23, 2019
edited
Loading

Per #37512 we're removing TLS 1.0 from the default protocols list in 7.0

This change adds deprecation warnings if any SSL context is relying on the default protocols list and a TLSv1 connection is established (incoming or outgoing).

This covers:

  • Incoming connections: transport
  • Incoming connections: Rest (https)
  • Outgoing connections: Watcher (HttpClient)
  • Outgoing connections: Monitoring (HttpExporter)
  • Outgoing connections: LDAP / AD Realm (SessionFactory)
  • Outgoing connections: SAML metdata loading over https (SamlRealm)

Deprecations for incoming HTTP connections are included in the Warning headers sent back to that client. For the other contexts, the deprecation log must be used.

@tvernum
Add deprecation warning if TLSv1 used on transport
deac7fa
@tvernum
Add warnings if TLSv1 is used implicitly
e1e4726 
TLSv1.0 will be removed from the default list of supported protocols
in v7.0.
This change adds deprecation warnings when a TLS v1.0 connection is
used without having been explictly configured as a supported protocol.
Such situations will fail in Elasticsearch 7.x
@tvernum
Add tests for TLSv1 deprecation warnings
cfd674e
@tvernum tvernum requested review from jaymode and jkakavas January 23, 2019 22:40
@jaymode
Copy link
Member

jaymode commented Jan 23, 2019

Is there a plan to do anything for LDAP connections?

@tvernum
Copy link
Contributor Author

tvernum commented Jan 23, 2019

LDAP connections

No plan, but I'll have a look.
I am working on a deprecations API check that will include LDAP

@tvernum
Copy link
Contributor Author

tvernum commented Jan 24, 2019

This PR now covers both LDAP and SAML metadata (https) connections.

jaymode
jaymode approved these changes Jan 25, 2019
View reviewed changes
Copy link
Member

@jaymode jaymode left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@tvernum
Copy link
Contributor Author

tvernum commented Jan 29, 2019

@elasticmachine test this please

@tvernum tvernum merged commit 1f41c7c into elastic:6.x Jan 29, 2019
@jaymode jaymode mentioned this pull request Jan 29, 2019
Closed
3 tasks
@EvanXiaa EvanXiaa mentioned this pull request Apr 30, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jaymode jaymode jaymode approved these changes

@jkakavas jkakavas jkakavas approved these changes

Assignees

No one assigned

Labels

>deprecation :Security/TLS SSL/TLS, Certificates v6.7.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tvernum @jaymode @jkakavas