Use TLS 1.2 by default when min_version is not defined (open-telemetr…

…y#5956) * Use TLS 1.2 by default when min_version is not defined * Update changelog and docs * Update changelog
iblancasa · Aug 26, 2022 · 1eda0c4 · 1eda0c4
1 parent fe28ec9
commit 1eda0c4
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 10 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -19,6 +19,7 @@
 - Replace `processorhelper.New[Traces|Metrics|Logs]Exporter` with `processorhelper.New[Traces|Metrics|Logs]ProcessorWithCreateSettings` definition (#5915)
 - Replace `exporterhelper.New[Traces|Metrics|Logs]Exporter` with `exporterhelper.New[Traces|Metrics|Logs]ExporterWithContext` definition (#5914)
 - Replace ``component.NewExtensionFactory`` with `component.NewExtensionFactoryWithStabilityLevel` definition (#5917)
+- Set TLS 1.2 as default for `min_version` for TLS configuration in case this property is not defined (affects servers). (#5956)
 
 ### 🚩 Deprecations 🚩
 

diff --git a/config/configtls/README.md b/config/configtls/README.md
@@ -36,10 +36,12 @@ won't use TLS at all.
 
 Minimum and maximum TLS version can be set:
 
-- `min_version` (default = "" handled by [crypto/tls](https://github.com/golang/go/blob/master/src/crypto/tls/common.go#L694)): Minimum acceptable TLS version.
+__IMPORTANT__: TLS 1.0 and 1.1 are deprecated due to known vulnerabilities and should be avoided.
+
+- `min_version` (default = "1.2"): Minimum acceptable TLS version.
   - options: ["1.0", "1.1", "1.2", "1.3"]
 
-- `max_version` (default = "" handled by [crypto/tls](https://github.com/golang/go/blob/master/src/crypto/tls/common.go#L700)): Maximum acceptable TLS version.
+- `max_version` (default = "" handled by [crypto/tls](https://github.com/golang/go/blob/master/src/crypto/tls/common.go#L700) - currently TLS 1.3): Maximum acceptable TLS version.
   - options: ["1.0", "1.1", "1.2", "1.3"]
 
 Additionally certifaces may be reloaded by setting the below configuration.

diff --git a/config/configtls/configtls.go b/config/configtls/configtls.go
@@ -25,6 +25,13 @@ import (
 	"time"
 )
 
+// We should avoid that users unknowingly use a vulnerable TLS version.
+// The defaults should be a safe configuration
+const defaultMinTLSVersion = tls.VersionTLS12
+
+// Uses the default MaxVersion from "crypto/tls" which is the maximum supported version
+const defaultMaxTLSVersion = 0
+
 // TLSSetting exposes the common client and server TLS configurations.
 // Note: Since there isn't anything specific to a server connection. Components
 // with server connections should use TLSSetting.
@@ -41,7 +48,7 @@ type TLSSetting struct {
 	KeyFile string `mapstructure:"key_file"`
 
 	// MinVersion sets the minimum TLS version that is acceptable.
-	// If not set, refer to crypto/tls for defaults. (optional)
+	// If not set, TLS 1.2 will be used. (optional)
 	MinVersion string `mapstructure:"min_version"`
 
 	// MaxVersion sets the maximum TLS version that is acceptable.
@@ -176,11 +183,11 @@ func (c TLSSetting) loadTLSConfig() (*tls.Config, error) {
 		getClientCertificate = func(cri *tls.CertificateRequestInfo) (*tls.Certificate, error) { return certReloader.GetCertificate() }
 	}
 
-	minTLS, err := convertVersion(c.MinVersion)
+	minTLS, err := convertVersion(c.MinVersion, defaultMinTLSVersion)
 	if err != nil {
 		return nil, fmt.Errorf("invalid TLS min_version: %w", err)
 	}
-	maxTLS, err := convertVersion(c.MaxVersion)
+	maxTLS, err := convertVersion(c.MaxVersion, defaultMaxTLSVersion)
 	if err != nil {
 		return nil, fmt.Errorf("invalid TLS max_version: %w", err)
 	}
@@ -239,10 +246,10 @@ func (c TLSServerSetting) LoadTLSConfig() (*tls.Config, error) {
 	return tlsCfg, nil
 }
 
-func convertVersion(v string) (uint16, error) {
-	// Defaults will be handled by go/crypto/tls
+func convertVersion(v string, defaultVersion uint16) (uint16, error) {
+	// Use a default that is explicitly defined
 	if v == "" {
-		return 0, nil
+		return defaultVersion, nil
 	}
 	val, ok := tlsVersions[v]
 	if !ok {

diff --git a/config/configtls/configtls_test.go b/config/configtls/configtls_test.go
@@ -361,8 +361,8 @@ func TestMinMaxTLSVersions(t *testing.T) {
 		outMaxVersion uint16
 		errorTxt      string
 	}{
-		{name: `TLS Config ["", ""] to give [0, 0]`, minVersion: "", maxVersion: "", outMinVersion: 0, outMaxVersion: 0},
-		{name: `TLS Config ["", "1.3"] to give [0, TLS1.3]`, minVersion: "", maxVersion: "1.3", outMinVersion: 0, outMaxVersion: tls.VersionTLS13},
+		{name: `TLS Config ["", ""] to give [TLS1.2, 0]`, minVersion: "", maxVersion: "", outMinVersion: tls.VersionTLS12, outMaxVersion: 0},
+		{name: `TLS Config ["", "1.3"] to give [TLS1.2, TLS1.3]`, minVersion: "", maxVersion: "1.3", outMinVersion: tls.VersionTLS12, outMaxVersion: tls.VersionTLS13},
 		{name: `TLS Config ["1.2", ""] to give [TLS1.2, 0]`, minVersion: "1.2", maxVersion: "", outMinVersion: tls.VersionTLS12, outMaxVersion: 0},
 		{name: `TLS Config ["1.3", "1.3"] to give [TLS1.3, TLS1.3]`, minVersion: "1.3", maxVersion: "1.3", outMinVersion: tls.VersionTLS13, outMaxVersion: tls.VersionTLS13},
 		{name: `TLS Config ["1.0", "1.1"] to give [TLS1.0, TLS1.1]`, minVersion: "1.0", maxVersion: "1.1", outMinVersion: tls.VersionTLS10, outMaxVersion: tls.VersionTLS11},