Registry - Allow minimum TLS version to be configurable #2807
Comments
|
I think this is a good change. Please go ahead and make the PR. @dmp42 WDYT? And thank you for asking this question on the issue first :) |
|
Yes. That you for asking in an issue first.
Seeing now 1.{0, 1} may support the cipher suites listed so I'll take back that comment |
|
It looks like this change has not yet been officially released - it's not part of 2.7.x release stream and not in 2.7.1, which is the most recent available version, it seems. 2.7.1 is dated January. Any plans for a new release? |
|
We're looking for this change to be officially released as well. It's been a year now since this change was merged, and there is no consumable release. |
|
Also looking for this to be released. |
|
Hope this gets released eventually, but if it helps anyone - we worked around this limitation by creating an nginx reverse proxy container to terminate TLS, in front of the unencrypted registry container, and limited their communications to a bridge network on the host. From outside, everything was encrypted properly, and the "localhost" unencrypted traffic was acceptable to our auditors. I don't have access any more, but as I recall it was a stock _library/nginx container with an nginx.conf mounted in to implement the TLS terminating reverse proxy. @caervs Anything holding this up from a release that I can help with? |
|
New registry was made and I still do not see this fix...
|
|
Any news on this? I would like to get these deprecated TLS versions findings out of my scan report. |
|
Still not seeing the fix: |
|
@caervs @manishtomar @gregrebholz ^ This issue was closed/merged but never added to an official release. |
|
cc @thaJeztah |
|
PR #3169 Would provide a more future proof fix for this issue. It has been over a year without it getting merged... |
|
Any update on when a release will be done that includes this feature? I am using docker version 20.10.8, and I am still getting the error: |
|
What is the current development release ? I have tried to pull the suggested version but go this. Pulling registry (registry:2.7.0-272-gc63b5805)... |
|
Even on registry;latest I am still seeing: time="2021-12-08T06:20:22Z" level=warning msg="Ignoring unrecognized environment variable REGISTRY_HTTP_TLS_MINIMUMTLS" |
|
@caervs Can you please re-open this? Issues still valid after 3 years |
|
For anyone still hoping for this, it looks to be available in the |
|
Confirmed. [2.8.0] With this set |
|
Thanks. It is working |
Similar to #2715 I have a high-security environment where no TLS1.0 or TLS1.1 traffic is allowed, and registry currently hardcodes the minimum TLS version.
I would like to make a PR from gregrebholz@28e69d1 if it is agreeable.
The optional config.yml argument can be specified as:
An omitted or unrecognized string results in the same TLS1.0 support we have today, and allowed strings are in the updated docs. During startup, any modified minimum TLS version reports:
INFO[0000] restricting TLS to tls1.2 or higher go.version=go1.11.4 instance.id=f105d3fe-e11e-4b67-a4e5-148eaf395315 service=registry version=v2.7.0-5-g28e69d1e.mThe text was updated successfully, but these errors were encountered: