tls: support setting min version to TLS1.3 (#23713)

Nomad already supports TLS1.3, but not as a minimum version configuration. Update our config validation to allow setting `tls_min_version` to 1.3. Update the documentation to match Vault and warn that the `tls_cipher_suites` field is ignored when TLS is 1.3 Fixes: https://github.com/hashicorp/nomad/issues/20131 Ref: https://hashicorp.atlassian.net/browse/NET-10530
2026-01-01 16:05:42 +03:00 · 2024-08-01 08:46:32 -04:00
parent 2e62c37676
commit 2ee6043cab
5 changed files with 13 additions and 5 deletions
--- a/.changelog/23713.txt
+++ b/.changelog/23713.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+tls: Allow setting the `tls_min_version` field to `"tls13"`
+```
--- a/helper/tlsutil/config.go
+++ b/helper/tlsutil/config.go
@@ -22,6 +22,7 @@ var supportedTLSVersions = map[string]uint16{
 	"tls10": tls.VersionTLS10,
 	"tls11": tls.VersionTLS11,
 	"tls12": tls.VersionTLS12,
+	"tls13": tls.VersionTLS13,
 }

 // supportedTLSCiphers are the complete list of TLS ciphers supported by Nomad
--- a/helper/tlsutil/config_test.go
+++ b/helper/tlsutil/config_test.go
@@ -949,9 +949,7 @@ func TestConfig_ParseMinVersion_Invalid(t *testing.T) {

 	require := require.New(t)

-	invalidVersions := []string{"tls13",
-		"tls15",
-	}
+	invalidVersions := []string{"ssl3", "tls14", "tls15"}

 	for _, version := range invalidVersions {
 		parsedVersion, err := ParseMinVersion(version)
--- a/nomad/structs/config/tls.go
+++ b/nomad/structs/config/tls.go
@@ -64,7 +64,7 @@ type TLSConfig struct {
 	TLSCipherSuites string `hcl:"tls_cipher_suites"`

 	// TLSMinVersion is used to set the minimum TLS version used for TLS
-	// connections. Should be either "tls10", "tls11", or "tls12".
+	// connections. Should be either "tls10", "tls11", "tls12", "tls13".
 	TLSMinVersion string `hcl:"tls_min_version"`

 	// TLSPreferServerCipherSuites controls whether the server selects the
--- a/website/content/docs/configuration/tls.mdx
+++ b/website/content/docs/configuration/tls.mdx
@@ -73,10 +73,15 @@ the [Enable TLS Encryption for Nomad Tutorial](/nomad/tutorials/transport-securi
  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 and
  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.

+  Nomad does not accept explicit ciphersuite configuration when for TLS 1.3
+  because the Go team has already designated a select set of ciphers that align
+  with the broadly-accepted Mozilla Security/Server Side TLS guidance for
+  [modern TLS configuration][modern-tls].
+
 ~> **Warning:** the use of insecure cipher suites such as TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, and TLS_RSA_WITH_AES_128_CBC_SHA256 is now unsupported.

 - `tls_min_version` `(string: "tls12")`- Specifies the minimum supported version
-  of TLS. Accepted values are "tls10", "tls11", "tls12".
+  of TLS. Accepted values are "tls10", "tls11", "tls12", "tls13".

 - `tls_prefer_server_cipher_suites` `(bool: false)` - Specifies whether
  TLS connections should prefer the server's ciphersuites over the client's.
@@ -129,3 +134,4 @@ connections will be closed. This process works when upgrading to TLS,
 downgrading from it, as well as rolling certificates.

 [raft]: https://github.com/hashicorp/serf 'Serf by HashiCorp'
+[modern-tls]: https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility