New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Presence of AppChannelAllowInsecureTLS
feature flag
#7149
Comments
I agree, this should have been removed @DeepanshuA you worked on this right? |
@fazledyn-or Thanks for raising this up. @ItalyPaleAle I will pick this up |
/assign |
@mukundansundar - Does this affect docs? |
I do not think so. This a breaking change which will be in the breaking changes section in release notes. |
Any updates on this regarding the docs? |
Yeah, it should be in breaking changes section in docs, where-in we just need to specify that we can't use anymore TLS below 1.2 for App Channel - even the Can you please point me to the 1.13 Release Notes hackmd link, I can make a change in breaking change section. |
If this is only in the breaking changes section, that is covered by the label |
In what area(s)?
/area runtime
What version of Dapr?
1.12.0
Expected Behavior
While triaging your project, our bug fixing tool generated the following message-
Details
The bug fixing tool generated the following diff -
From the comments at
channels.go
andconfiguration.go
, I can see that the feature flagAppChannelAllowInsecureTLS
is to be removed in Dapr 1.13. However, in the sameconfiguration.go
file, we can see thatActorStateTTL
feature flag is present, where it says -Since Dapr 1.12 was release last month on Oct 12, 2023 and the flag hasn't been removed, looks like it's a mistake.
In that case -
AppChannelAllowInsecureTLS
be removed too?If the
AppChannelAllowInsecureTLS
flag is to stay, then it leads a security flaw since thecrypto/tls
documentation states that -Source: https://pkg.go.dev/crypto/tls#Config.MinVersion
Sponsorship and Support
This work is done by the security researchers from OpenRefactory and is supported by the Open Source Security Foundation (OpenSSF): Project Alpha-Omega. Alpha-Omega is a project partnering with open source software project maintainers to systematically find new, as-yet-undiscovered vulnerabilities in open source code - and get them fixed – to improve global software supply chain security.
The bug is found by running the Intelligent Code Repair (iCR) tool by OpenRefactory and then manually triaging the results.
Actual Behavior
Steps to Reproduce the Problem
Release Note
RELEASE NOTE:
The text was updated successfully, but these errors were encountered: