Skip to content

feat: add tlsv1.3 to default cipher suites #128

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
May 20, 2024
Merged

feat: add tlsv1.3 to default cipher suites #128

merged 10 commits into from
May 20, 2024

Conversation

cwaldren-ld
Copy link
Contributor

Requirements

  • I have added test coverage for new or changed functionality
  • I have followed the repository's pull request submission guidelines
  • I have validated my changes against all supported platform versions

Related issues

#127

Describe the solution you've provided

SDK client should be able to connect successfully to a server presenting TLSv1.2 and TLSv1.3 cipher suites.

Describe alternatives you've considered

Only support TLSv1.2 specifically.

@kinyoklion kinyoklion marked this pull request as ready for review May 20, 2024 18:36
@kinyoklion kinyoklion requested a review from a team May 20, 2024 18:36
kinyoklion
kinyoklion reviewed May 20, 2024
View reviewed changes
src/ldclient_config.erl
@@ -135,6 +135,17 @@

-define(APPLICATION_DEFAULT_OPTIONS, undefined).

%% Enable TLS 1.3 support for erlang 23 and higher.
%% TLS 1.3 support stabilized during 22, but this implementation does not work in 22.0.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The release notes say 22, and the latest 22 does work if I change this to 22. But 22.0 and 22.1 did not and I don't want to roll through all the releases to determine a point where it starts working. By having the version list be constrained we avoid the original problem regardless.

kinyoklion
kinyoklion reviewed May 20, 2024
View reviewed changes
src/ldclient_config.erl
CipherSuites = ssl:filter_cipher_suites(DefaultCipherSuites, [
-spec get_suites(TlsVersion :: ssl:protocol_version()) -> ssl:ciphers().
get_suites(TlsVersion) ->
DefaultCipherSuites = ssl:cipher_suites(default, TlsVersion),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The cipher_suites function gives you all ciphers supported by the specified version and previous versions. default are the default suites, so some are already disabled for security. Not enough to pass my existing TLS tests.

exclusive gives you the ones exclusive to that version. I considered adding together the ones we had used for 1.2, and the ones that are exclusive to 1.3. That did work, but this seems a little cleaner.

@kinyoklion kinyoklion merged commit 4074483 into main May 20, 2024
5 checks passed
@kinyoklion kinyoklion deleted the cw/sc-244788/tls-v1.3 branch May 20, 2024 20:40
@github-actions github-actions bot mentioned this pull request May 20, 2024
Merged
kinyoklion pushed a commit that referenced this pull request May 20, 2024
@github-actions
chore(main): release 3.3.0 (#129)
ee96d29 
🤖 I have created a release *beep* *boop*
---


##
[3.3.0](v3.2.0...v3.3.0)
(2024-05-20)


### Features

* add tlsv1.3 to default cipher suites
([#128](#128))
([4074483](4074483))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kinyoklion kinyoklion kinyoklion left review comments

@keelerm84 keelerm84 keelerm84 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cwaldren-ld @keelerm84 @kinyoklion