Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable deprecated TLS versions 1.0, 1.1 #6910

Merged
merged 1 commit into from
Jan 20, 2021
Merged

Disable deprecated TLS versions 1.0, 1.1 #6910

merged 1 commit into from
Jan 20, 2021

Conversation

mike-myers-tob
Copy link
Member

@mike-myers-tob mike-myers-tob commented Jan 20, 2021
edited

The PCI Council suggested that organizations migrate from TLS 1.0 to TLS 1.1 or higher before June 30, 2018. In October 2018, Apple, Google, Microsoft, and Mozilla jointly announced they would deprecate TLS 1.0 and 1.1 in March 2020.

https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.0

TLS 1.2 is the recommended minimum version of the TLS protocol to allow. Support in OpenSSL was introduced in 2012, from OpenSSL version 1.0.1. TLS 1.0 and 1.1 have been deprecated throughout the web, and osquery should drop its use of them too.

According to Zach, Fleet has supported TLS 1.2 and 1.3 for a long time (years).

@mike-myers-tob mike-myers-tob added networking security ready for review Pull requests that are ready to be reviewed by a maintainer labels Jan 20, 2021
@zwass
Copy link
Member

zwass commented Jan 20, 2021

We develop Fleet to support the intermediate and modern configurations specified in https://wiki.mozilla.org/index.php?title=Security/Server_Side_TLS.

@javuto
Copy link
Contributor

javuto commented Jan 20, 2021

Awesome! In osctrl the TLS termination is done in nginx so is an easy change in the provisioning script.

@javuto javuto mentioned this pull request Jan 20, 2021
Merged
@mike-myers-tob mike-myers-tob merged commit 51c4479 into osquery:master Jan 20, 2021
@mike-myers-tob mike-myers-tob deleted the mike/disable_old_tls_versions branch January 20, 2021 22:29
@mike-myers-tob mike-myers-tob removed the ready for review Pull requests that are ready to be reviewed by a maintainer label Feb 3, 2021
This was referenced Feb 22, 2021
Closed
Merged
directionless pushed a commit that referenced this pull request Feb 23, 2021
@mike-myers-tob
Update the info about osquery's TLS version support (#6963)
070a096 
Update documentation to align with the change made in PR #6910
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zwass zwass zwass approved these changes

Assignees
No one assigned
Labels
networking security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@mike-myers-tob @zwass @javuto