Add TLS min/max version. #641
Conversation
|
Note to reviewers: I created the subheading "Common options" and included also ciphers intentionally under that. Currently it might be bit too easy to confuse that to belong to "Peer (server-to-server / cluster) communication" options, although it impacts both. |
|
@ahrtr afaik, it's a manual update. Considering it's easy to miss manual updating, one quick solution would be to add a sentence in the guide to point to help.go for the latest. For example, add "For the most latest flags, refer to the Security flags." after |
| @@ -164,6 +164,10 @@ Flags are presented below using the format `--flag-name DEFAULT_VALUE`. | |||
| Comma-separated whitelist of origins for CORS, or cross-origin resource sharing, (empty or * means allow all). | |||
| --host-whitelist '*' | |||
| Acceptable hostnames from HTTP client requests, if server is not secure (empty or * means allow all). | |||
| --tls-min-version 'TLS12' | |||
| Minimum TLS version supported by etcd. Possible values: TLS12, TLS13. | |||
There was a problem hiding this comment.
I would suggest to remove possible values so that we don't need to maintain updates in the future.
There was a problem hiding this comment.
I will fix it, but I wonder how users will find the accepted values?
| --tls-min-version 'TLS12' | ||
| Minimum TLS version supported by etcd. Possible values: TLS12, TLS13. | ||
| --tls-max-version '' | ||
| Maximum TLS version supported by etcd. Possible values: TLS12, TLS13 (empty will be auto-populated by Go). |
There was a problem hiding this comment.
Same here, we should remove possible values so that we don't need to maintain updates in the future. Leaving, Empty will be auto-populated by Go. is fine.
| @@ -42,8 +42,16 @@ The peer options work the same way as the client-to-server options: | |||
|
|
|||
| If either a client-to-server or peer certificate is supplied the key must also be set. All of these configuration options are also available through the environment variables, `ETCD_CA_FILE`, `ETCD_PEER_CA_FILE` and so on. | |||
|
|
|||
| **Common options:** | |||
|
|
|||
| `--cipher-suites`: Comma-separated list of supported TLS cipher suites between server/client and peers (empty will be auto-populated by Go). Available from v3.2.22+, v3.3.7+, and v3.4+. | |||
There was a problem hiding this comment.
We don't support 3.2 and 3.3, so I think Available from v3.2.22+, v3.3.7+, and v3.4+. is not needed.
| `--cipher-suites`: Comma-separated list of supported TLS cipher suites between server/client and peers (empty will be auto-populated by Go). Available from v3.2.22+, v3.3.7+, and v3.4+. | ||
|
|
||
| `--tls-min-version=<version>` Sets the minimum TLS version supported by etcd. The default value is `TLS12`. |
There was a problem hiding this comment.
Same, The default value is TLS12. is not needed.
Thanks @spzala for the feedback. The security doc is relatively simple, so I am not much concerning about it. Instead, the configuration doc is supposed to contain all available flags. But obvious it isn't. For example the following flags are missing, So it makes more sense to add a link in the configuration doc. |
tsaarni
force-pushed
the
add-minmax-allow-tls13
branch
from
357eb17
to
d5b401c
Compare
Thank you for review @spzala! I have now removed the specifics: protocol versions and cipher-suite etcd versions (just for clarity: etcd-io/etcd#15156 did not touch ciphers). This is to avoid further updates on the web site when the values change in future. The values remain in |
@ahrtr yrw, and yes! I was thinking to suggest to make those changes in this PR but with some more thoughts, I think I can clean up config file to address maintenance issue. The help.go is a go file but it's a structured almost as a doc. Let me create a separate PR for this for an easier review of changes. Thanks! |
Thanks @tsaarni - we need to wait for the etcd repo PR to merge. |
|
The implementation etcd-io/etcd#15156 is now merged! |
@tsaarni thanks! I am good with this PR but one more small request. Can you please add this sentence (or something similar if you have a different opinion) at the end of first section (right before Basic setup section) |
tsaarni
force-pushed
the
add-minmax-allow-tls13
branch
from
d5b401c
to
0b6aebe
Compare
@spzala Sure, no problem! I've added the text. I added it only to the latest release version i.e. the only version this PR has modified so far. |
That's good. Thanks @tsaarni |
|
cc @ahrtr |
| @@ -166,6 +166,10 @@ The list of flags provided below may not be up-to-date due to ongoing developmen | |||
| Comma-separated whitelist of origins for CORS, or cross-origin resource sharing, (empty or * means allow all). | |||
| --host-whitelist '*' | |||
| Acceptable hostnames from HTTP client requests, if server is not secure (empty or * means allow all). | |||
| --tls-min-version 'TLS12' | |||
There was a problem hiding this comment.
It's "TLS1.2" in etcd-io/etcd#15156, so I suggest to keep it consistent.
There was a problem hiding this comment.
Sorry for missing that! I've pushed a fix.
Documentation for new optional flags for setting TLS versions. Signed-off-by: Tero Saarni <tero.saarni@est.tech>
tsaarni
force-pushed
the
add-minmax-allow-tls13
branch
from
0b6aebe
to
566ac46
Compare
Documentation for new optional flags for setting TLS versions, which will be introduced in PR etcd-io/etcd#15156
Signed-off-by: Tero Saarni tero.saarni@est.tech