From 98b09d3eca5657e483bb1b86f3f2d16cfc81056b Mon Sep 17 00:00:00 2001 From: Tim Gross Date: Wed, 31 Jul 2024 16:53:45 -0400 Subject: [PATCH] tls: support setting min version to TLS1.3 Nomad already supports TLS1.3, but not as a minimum version configuration. Update our config validation to allow setting `tls_min_version` to 1.3. Update the documentation to match Vault and warn that the `tls_cipher_suites` field is ignored when TLS is 1.3 Fixes: https://github.com/hashicorp/nomad/issues/20131 Ref: https://hashicorp.atlassian.net/browse/NET-10530 --- .changelog/23713.txt | 3 +++ helper/tlsutil/config.go | 1 + helper/tlsutil/config_test.go | 4 +--- nomad/structs/config/tls.go | 2 +- website/content/docs/configuration/tls.mdx | 8 +++++++- 5 files changed, 13 insertions(+), 5 deletions(-) create mode 100644 .changelog/23713.txt diff --git a/.changelog/23713.txt b/.changelog/23713.txt new file mode 100644 index 00000000000..7936de6aa0e --- /dev/null +++ b/.changelog/23713.txt @@ -0,0 +1,3 @@ +```release-note:improvement +tls: Allow setting the `tls_min_version` field to `"tls13"` +``` diff --git a/helper/tlsutil/config.go b/helper/tlsutil/config.go index 9c57b9a33bc..37bb5aefebe 100644 --- a/helper/tlsutil/config.go +++ b/helper/tlsutil/config.go @@ -22,6 +22,7 @@ var supportedTLSVersions = map[string]uint16{ "tls10": tls.VersionTLS10, "tls11": tls.VersionTLS11, "tls12": tls.VersionTLS12, + "tls13": tls.VersionTLS13, } // supportedTLSCiphers are the complete list of TLS ciphers supported by Nomad diff --git a/helper/tlsutil/config_test.go b/helper/tlsutil/config_test.go index e67f1adaf7a..b99dde68675 100644 --- a/helper/tlsutil/config_test.go +++ b/helper/tlsutil/config_test.go @@ -949,9 +949,7 @@ func TestConfig_ParseMinVersion_Invalid(t *testing.T) { require := require.New(t) - invalidVersions := []string{"tls13", - "tls15", - } + invalidVersions := []string{"ssl3", "tls14", "tls15"} for _, version := range invalidVersions { parsedVersion, err := ParseMinVersion(version) diff --git a/nomad/structs/config/tls.go b/nomad/structs/config/tls.go index 3ae14761654..f2e27bfa0ca 100644 --- a/nomad/structs/config/tls.go +++ b/nomad/structs/config/tls.go @@ -64,7 +64,7 @@ type TLSConfig struct { TLSCipherSuites string `hcl:"tls_cipher_suites"` // TLSMinVersion is used to set the minimum TLS version used for TLS - // connections. Should be either "tls10", "tls11", or "tls12". + // connections. Should be either "tls10", "tls11", "tls12", "tls13". TLSMinVersion string `hcl:"tls_min_version"` // TLSPreferServerCipherSuites controls whether the server selects the diff --git a/website/content/docs/configuration/tls.mdx b/website/content/docs/configuration/tls.mdx index 4957e5bed18..8d88678fa6c 100644 --- a/website/content/docs/configuration/tls.mdx +++ b/website/content/docs/configuration/tls.mdx @@ -73,10 +73,15 @@ the [Enable TLS Encryption for Nomad Tutorial](/nomad/tutorials/transport-securi TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 and TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. + Nomad does not accept explicit ciphersuite configuration when for TLS 1.3 + because the Go team has already designated a select set of ciphers that align + with the broadly-accepted Mozilla Security/Server Side TLS guidance for + [modern TLS configuration][modern-tls]. + ~> **Warning:** the use of insecure cipher suites such as TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, and TLS_RSA_WITH_AES_128_CBC_SHA256 is now unsupported. - `tls_min_version` `(string: "tls12")`- Specifies the minimum supported version - of TLS. Accepted values are "tls10", "tls11", "tls12". + of TLS. Accepted values are "tls10", "tls11", "tls12", "tls13". - `tls_prefer_server_cipher_suites` `(bool: false)` - Specifies whether TLS connections should prefer the server's ciphersuites over the client's. @@ -129,3 +134,4 @@ connections will be closed. This process works when upgrading to TLS, downgrading from it, as well as rolling certificates. [raft]: https://github.com/hashicorp/serf 'Serf by HashiCorp' +[modern-tls]: https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility