util: Use TLSv1.2 as minimum TLS version by default #36037
Conversation
|
[REVIEW NOTIFICATION] This pull request has been approved by:
To complete the pull request process, please ask the reviewers in the list to review by filling The full list of commands accepted by this bot can be found here. Reviewer can indicate their review by submitting an approval review. |
ti-chi-bot
added
release-note
|
Code Coverage Details: https://codecov.io/github/pingcap/tidb/commit/b36d47ece1ce3ca9216be8d87902064e58f942da |
|
@dveeden: GitHub didn't allow me to request PR reviews from the following users: likzn. Note that only pingcap members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
I think this is not a simple one line change. It might affect some users still using TLSv1.1(both conscious & unconscious). We need to see how the product managers think. |
xhebox
added
the
compatibility-breaker
Yes I agree. If people use very old clients that use YaSSL they won't be able to use TLSv1.2 or newer. However this should only be merged into master and not be backported. So this won't affect users of TiDB v6.1.x or older. This is only changing the default, so people can change the config to allow TLSv1.1 if needed. This will improve security and may also be beneficial for compliance with various regulations. |
|
This is how MySQL handles this: (source: https://dev.mysql.com/doc/refman/8.0/en/encrypted-connection-protocols-ciphers.html )
|
|
/label security |
|
Customers can choose TLS 1.1, 1.2, 1.3 versions, the default is to configure TLS 1.2, but does not support TLS1.0? |
By default TiDB supports TLSv1.1, 1.2 and 1.3. It can be configured to support TLSv1.0. This change would change the default to only support TLSv1.2 and TLSv1.3. |
|
@lulukelu could you suggest reviewers for this PR? |
lulukelu
requested review from
ljun0712 and
lulukelu
and removed request for
ljun0712
|
/hold I'd like to make sure @bb7133 is ok with merging this. |
ti-chi-bot
bot
added
the
do-not-merge/hold
dveeden
added
type/compatibility
compatibility-mysql8
dveeden
removed
type/compatibility
compatibility-mysql8
|
/unhold |
ti-chi-bot
bot
removed
the
do-not-merge/hold
|
@ljun0712: adding LGTM is restricted to approvers and reviewers in OWNERS files. In response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/hold |
ti-chi-bot
bot
added
the
do-not-merge/hold
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: bb7133, CbcWestwolf, hawkingrei, ljun0712, lulukelu The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
ti-chi-bot
bot
added
lgtm
and removed
needs-1-more-lgtm
[LGTM Timeline notifier]Timeline:
|
|
/unhold |
ti-chi-bot
bot
removed
the
do-not-merge/hold
What problem does this PR solve?
Issue Number: close #36036
Problem Summary:
What is changed and how it works?
Check List
Tests
Side effects
Documentation
Release note