Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change default TLS options for more security #8951

Merged
merged 5 commits into from Sep 8, 2022
Merged

Change default TLS options for more security #8951

merged 5 commits into from Sep 8, 2022

Conversation

ddtmachado
Copy link
Contributor

@ddtmachado ddtmachado commented Apr 20, 2022
edited

What does this PR do?

Change the default TLS Options for more security while maintaining compatibility with most clients

Motivation

golang/go#45428

Fixes #6756

Go will remove support for TLS 1.0 and 1.1 soon, so I think it's better if we prepare in advance by changing the default values and then adding a notice on the deprecations page.

Plus lots of complaints about Traefik not being secure enough out of the box, from the TLS perspective.

More

  • Added/updated tests
  • Added/updated documentation

Additional Notes

On this PR I trust that Go will keep an up to date list of secure ciphers during its lifecycle, then the tests with static values will ensure we notice when things change so we don't break compatibility without notice.

@ldez ldez added the breaking label Apr 20, 2022
@kevinpollet kevinpollet added this to To review in v2 via automation Apr 20, 2022
@kevinpollet kevinpollet added this to the 2.7 milestone Apr 20, 2022
@ddtmachado ddtmachado force-pushed the tls-defaults branch 2 times, most recently from ac95e09 to 6ef6c77 Compare April 21, 2022 12:40
@rtribotte rtribotte changed the base branch from v2.7 to master May 18, 2022 13:13
@rtribotte rtribotte added kind/enhancement a new or improved feature. and removed kind/bug/fix a bug fix labels May 18, 2022
@rtribotte rtribotte modified the milestones: 2.7, next May 18, 2022
@mloiseleur mloiseleur mentioned this pull request May 23, 2022
Closed
@rtribotte rtribotte modified the milestones: 2.8, next Jun 10, 2022
rtribotte
rtribotte approved these changes Sep 8, 2022
View reviewed changes
Copy link
Member

@rtribotte rtribotte left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👌

@ldez ldez removed the breaking label Sep 8, 2022
ldez
ldez approved these changes Sep 8, 2022
View reviewed changes
Copy link
Member

@ldez ldez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

juliens
juliens approved these changes Sep 8, 2022
View reviewed changes
Copy link
Member

@juliens juliens left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@traefiker traefiker merged commit c84378d into traefik:master Sep 8, 2022
v2 automation moved this from To review to Done Sep 8, 2022
@naftis naftis mentioned this pull request Jul 4, 2023
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@juliens juliens juliens approved these changes

@ldez ldez ldez approved these changes

@rtribotte rtribotte rtribotte approved these changes

Assignees
No one assigned
Labels
area/tls kind/enhancement a new or improved feature. size/S
Projects
No open projects
v2
Done
Milestone
2.9
Development

Successfully merging this pull request may close these issues.

Please disable TLS 1.0 and 1.1 by default
6 participants
@ddtmachado @juliens @ldez @rtribotte @kevinpollet @traefiker