diff --git a/.changelog/23712.txt b/.changelog/23712.txt new file mode 100644 index 00000000000..bf8dbc30aa1 --- /dev/null +++ b/.changelog/23712.txt @@ -0,0 +1,3 @@ +```release-note:breaking-change +tls: Removed deprecated `tls.prefer_server_cipher_suites` field from agent configuration +``` diff --git a/command/agent/config_parse_test.go b/command/agent/config_parse_test.go index 800eeefd4b9..9e1554c69fc 100644 --- a/command/agent/config_parse_test.go +++ b/command/agent/config_parse_test.go @@ -282,17 +282,16 @@ var basicConfig = &Config{ }, }}, TLSConfig: &config.TLSConfig{ - EnableHTTP: true, - EnableRPC: true, - VerifyServerHostname: true, - CAFile: "foo", - CertFile: "bar", - KeyFile: "pipe", - RPCUpgradeMode: true, - VerifyHTTPSClient: true, - TLSPreferServerCipherSuites: true, - TLSCipherSuites: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - TLSMinVersion: "tls12", + EnableHTTP: true, + EnableRPC: true, + VerifyServerHostname: true, + CAFile: "foo", + CertFile: "bar", + KeyFile: "pipe", + RPCUpgradeMode: true, + VerifyHTTPSClient: true, + TLSCipherSuites: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + TLSMinVersion: "tls12", }, HTTPAPIResponseHeaders: map[string]string{ "Access-Control-Allow-Origin": "*", diff --git a/command/agent/testdata/basic.hcl b/command/agent/testdata/basic.hcl index a1e54f7515b..75f5df35020 100644 --- a/command/agent/testdata/basic.hcl +++ b/command/agent/testdata/basic.hcl @@ -290,17 +290,16 @@ vault { } tls { - http = true - rpc = true - verify_server_hostname = true - ca_file = "foo" - cert_file = "bar" - key_file = "pipe" - rpc_upgrade_mode = true - verify_https_client = true - tls_prefer_server_cipher_suites = true - tls_cipher_suites = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" - tls_min_version = "tls12" + http = true + rpc = true + verify_server_hostname = true + ca_file = "foo" + cert_file = "bar" + key_file = "pipe" + rpc_upgrade_mode = true + verify_https_client = true + tls_cipher_suites = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" + tls_min_version = "tls12" } sentinel { diff --git a/command/agent/testdata/basic.json b/command/agent/testdata/basic.json index c3f0231eeb7..25cc71d93c3 100644 --- a/command/agent/testdata/basic.json +++ b/command/agent/testdata/basic.json @@ -389,7 +389,6 @@ "rpc_upgrade_mode": true, "tls_cipher_suites": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "tls_min_version": "tls12", - "tls_prefer_server_cipher_suites": true, "verify_https_client": true, "verify_server_hostname": true } diff --git a/helper/tlsutil/config.go b/helper/tlsutil/config.go index 9c57b9a33bc..a067ffd5e0a 100644 --- a/helper/tlsutil/config.go +++ b/helper/tlsutil/config.go @@ -142,12 +142,6 @@ type Config struct { // these values for acceptable safe alternatives. CipherSuites []uint16 - // PreferServerCipherSuites controls whether the server selects the - // client's most preferred ciphersuite, or the server's most preferred - // ciphersuite. If true then the server's preference, as expressed in - // the order of elements in CipherSuites, is used. - PreferServerCipherSuites bool - // MinVersion contains the minimum SSL/TLS version that is accepted. MinVersion uint16 } @@ -164,16 +158,15 @@ func NewTLSConfiguration(newConf *config.TLSConfig, verifyIncoming, verifyOutgoi } return &Config{ - VerifyIncoming: verifyIncoming, - VerifyOutgoing: verifyOutgoing, - VerifyServerHostname: newConf.VerifyServerHostname, - CAFile: newConf.CAFile, - CertFile: newConf.CertFile, - KeyFile: newConf.KeyFile, - KeyLoader: newConf.GetKeyLoader(), - CipherSuites: ciphers, - MinVersion: minVersion, - PreferServerCipherSuites: newConf.TLSPreferServerCipherSuites, + VerifyIncoming: verifyIncoming, + VerifyOutgoing: verifyOutgoing, + VerifyServerHostname: newConf.VerifyServerHostname, + CAFile: newConf.CAFile, + CertFile: newConf.CertFile, + KeyFile: newConf.KeyFile, + KeyLoader: newConf.GetKeyLoader(), + CipherSuites: ciphers, + MinVersion: minVersion, }, nil } @@ -231,11 +224,10 @@ func (c *Config) OutgoingTLSConfig() (*tls.Config, error) { } // Create the tlsConfig tlsConfig := &tls.Config{ - RootCAs: x509.NewCertPool(), - InsecureSkipVerify: true, - CipherSuites: c.CipherSuites, - MinVersion: c.MinVersion, - PreferServerCipherSuites: c.PreferServerCipherSuites, + RootCAs: x509.NewCertPool(), + InsecureSkipVerify: true, + CipherSuites: c.CipherSuites, + MinVersion: c.MinVersion, } if c.VerifyServerHostname { tlsConfig.InsecureSkipVerify = false @@ -349,11 +341,10 @@ func WrapTLSClient(conn net.Conn, tlsConfig *tls.Config) (net.Conn, error) { func (c *Config) IncomingTLSConfig() (*tls.Config, error) { // Create the tlsConfig tlsConfig := &tls.Config{ - ClientCAs: x509.NewCertPool(), - ClientAuth: tls.NoClientCert, - CipherSuites: c.CipherSuites, - MinVersion: c.MinVersion, - PreferServerCipherSuites: c.PreferServerCipherSuites, + ClientCAs: x509.NewCertPool(), + ClientAuth: tls.NoClientCert, + CipherSuites: c.CipherSuites, + MinVersion: c.MinVersion, } // Parse the CA cert if any diff --git a/helper/tlsutil/config_test.go b/helper/tlsutil/config_test.go index e67f1adaf7a..62234986753 100644 --- a/helper/tlsutil/config_test.go +++ b/helper/tlsutil/config_test.go @@ -409,32 +409,6 @@ func TestConfig_OutgoingTLS_WithKeyPair(t *testing.T) { assert.NotNil(cert) } -func TestConfig_OutgoingTLS_PreferServerCipherSuites(t *testing.T) { - ci.Parallel(t) - - require := require.New(t) - - { - conf := &Config{ - VerifyOutgoing: true, - CAFile: cacert, - } - tlsConfig, err := conf.OutgoingTLSConfig() - require.Nil(err) - require.Equal(tlsConfig.PreferServerCipherSuites, false) - } - { - conf := &Config{ - VerifyOutgoing: true, - CAFile: cacert, - PreferServerCipherSuites: true, - } - tlsConfig, err := conf.OutgoingTLSConfig() - require.Nil(err) - require.Equal(tlsConfig.PreferServerCipherSuites, true) - } -} - func TestConfig_OutgoingTLS_TLSCipherSuites(t *testing.T) { ci.Parallel(t) @@ -731,27 +705,6 @@ func TestConfig_IncomingTLS_NoVerify(t *testing.T) { } } -func TestConfig_IncomingTLS_PreferServerCipherSuites(t *testing.T) { - ci.Parallel(t) - - require := require.New(t) - - { - conf := &Config{} - tlsConfig, err := conf.IncomingTLSConfig() - require.Nil(err) - require.Equal(tlsConfig.PreferServerCipherSuites, false) - } - { - conf := &Config{ - PreferServerCipherSuites: true, - } - tlsConfig, err := conf.IncomingTLSConfig() - require.Nil(err) - require.Equal(tlsConfig.PreferServerCipherSuites, true) - } -} - func TestConfig_IncomingTLS_TLSCipherSuites(t *testing.T) { ci.Parallel(t) diff --git a/nomad/structs/config/tls.go b/nomad/structs/config/tls.go index 3ae14761654..e1c01730698 100644 --- a/nomad/structs/config/tls.go +++ b/nomad/structs/config/tls.go @@ -67,12 +67,6 @@ type TLSConfig struct { // connections. Should be either "tls10", "tls11", or "tls12". TLSMinVersion string `hcl:"tls_min_version"` - // TLSPreferServerCipherSuites controls whether the server selects the - // client's most preferred ciphersuite, or the server's most preferred - // ciphersuite. If true then the server's preference, as expressed in - // the order of elements in CipherSuites, is used. - TLSPreferServerCipherSuites bool `hcl:"tls_prefer_server_cipher_suites"` - // ExtraKeysHCL is used by hcl to surface unexpected keys ExtraKeysHCL []string `hcl:",unusedKeys" json:"-"` } @@ -170,8 +164,6 @@ func (t *TLSConfig) Copy() *TLSConfig { new.TLSCipherSuites = t.TLSCipherSuites new.TLSMinVersion = t.TLSMinVersion - new.TLSPreferServerCipherSuites = t.TLSPreferServerCipherSuites - new.SetChecksum() return new @@ -225,9 +217,6 @@ func (t *TLSConfig) Merge(b *TLSConfig) *TLSConfig { if b.TLSMinVersion != "" { result.TLSMinVersion = b.TLSMinVersion } - if b.TLSPreferServerCipherSuites { - result.TLSPreferServerCipherSuites = true - } return result } diff --git a/nomad/structs/config/tls_test.go b/nomad/structs/config/tls_test.go index 3239ff4f68d..6501cd484fc 100644 --- a/nomad/structs/config/tls_test.go +++ b/nomad/structs/config/tls_test.go @@ -21,15 +21,14 @@ func TestTLSConfig_Merge(t *testing.T) { } b := &TLSConfig{ - EnableHTTP: true, - EnableRPC: true, - VerifyServerHostname: true, - CAFile: "test-ca-file-2", - CertFile: "test-cert-file-2", - RPCUpgradeMode: true, - TLSCipherSuites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", - TLSMinVersion: "tls12", - TLSPreferServerCipherSuites: true, + EnableHTTP: true, + EnableRPC: true, + VerifyServerHostname: true, + CAFile: "test-ca-file-2", + CertFile: "test-cert-file-2", + RPCUpgradeMode: true, + TLSCipherSuites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", + TLSMinVersion: "tls12", } new := a.Merge(b) @@ -188,12 +187,11 @@ func TestTLS_Copy(t *testing.T) { fookey = "../../../helper/tlsutil/testdata/regionFoo-client-nomad-key.pem" ) a := &TLSConfig{ - CAFile: cafile, - CertFile: foocert, - KeyFile: fookey, - TLSCipherSuites: "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", - TLSMinVersion: "tls12", - TLSPreferServerCipherSuites: true, + CAFile: cafile, + CertFile: foocert, + KeyFile: fookey, + TLSCipherSuites: "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", + TLSMinVersion: "tls12", } a.SetChecksum() diff --git a/website/content/docs/configuration/tls.mdx b/website/content/docs/configuration/tls.mdx index 4957e5bed18..e68bdfea0b0 100644 --- a/website/content/docs/configuration/tls.mdx +++ b/website/content/docs/configuration/tls.mdx @@ -78,9 +78,6 @@ the [Enable TLS Encryption for Nomad Tutorial](/nomad/tutorials/transport-securi - `tls_min_version` `(string: "tls12")`- Specifies the minimum supported version of TLS. Accepted values are "tls10", "tls11", "tls12". -- `tls_prefer_server_cipher_suites` `(bool: false)` - Specifies whether - TLS connections should prefer the server's ciphersuites over the client's. - - `verify_https_client` `(bool: false)` - Specifies agents should require client certificates for all incoming HTTPS requests, effectively upgrading [`tls.http=true`](#http) to mTLS. The client certificates must be signed by