-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Registry - Allow minimum TLS version to be configurable #2807
Comments
I think this is a good change. Please go ahead and make the PR. @dmp42 WDYT? And thank you for asking this question on the issue first :) |
Yes. That you for asking in an issue first.
Seeing now 1.{0, 1} may support the cipher suites listed so I'll take back that comment |
It looks like this change has not yet been officially released - it's not part of 2.7.x release stream and not in 2.7.1, which is the most recent available version, it seems. 2.7.1 is dated January. Any plans for a new release? |
We're looking for this change to be officially released as well. It's been a year now since this change was merged, and there is no consumable release. |
Also looking for this to be released. |
Hope this gets released eventually, but if it helps anyone - we worked around this limitation by creating an nginx reverse proxy container to terminate TLS, in front of the unencrypted registry container, and limited their communications to a bridge network on the host. From outside, everything was encrypted properly, and the "localhost" unencrypted traffic was acceptable to our auditors. I don't have access any more, but as I recall it was a stock _library/nginx container with an nginx.conf mounted in to implement the TLS terminating reverse proxy. @caervs Anything holding this up from a release that I can help with? |
New registry was made and I still do not see this fix...
|
Any news on this? I would like to get these deprecated TLS versions findings out of my scan report. |
Still not seeing the fix:
|
@caervs @manishtomar @gregrebholz ^ This issue was closed/merged but never added to an official release. |
cc @thaJeztah |
PR #3169 Would provide a more future proof fix for this issue. It has been over a year without it getting merged... |
Any update on when a release will be done that includes this feature? I am using docker version 20.10.8, and I am still getting the error:
|
What is the current development release ? I have tried to pull the suggested version but go this. Pulling registry (registry:2.7.0-272-gc63b5805)... |
Even on registry;latest I am still seeing: time="2021-12-08T06:20:22Z" level=warning msg="Ignoring unrecognized environment variable REGISTRY_HTTP_TLS_MINIMUMTLS" |
@caervs Can you please re-open this? Issues still valid after 3 years |
For anyone still hoping for this, it looks to be available in the |
Confirmed. [2.8.0] With this set
|
Thanks. It is working |
Similar to #2715 I have a high-security environment where no TLS1.0 or TLS1.1 traffic is allowed, and registry currently hardcodes the minimum TLS version.
I would like to make a PR from gregrebholz@28e69d1 if it is agreeable.
The optional config.yml argument can be specified as:
An omitted or unrecognized string results in the same TLS1.0 support we have today, and allowed strings are in the updated docs. During startup, any modified minimum TLS version reports:
INFO[0000] restricting TLS to tls1.2 or higher go.version=go1.11.4 instance.id=f105d3fe-e11e-4b67-a4e5-148eaf395315 service=registry version=v2.7.0-5-g28e69d1e.m
The text was updated successfully, but these errors were encountered: