diff --git a/.changelog/23713.txt b/.changelog/23713.txt new file mode 100644 index 000000000..7936de6aa --- /dev/null +++ b/.changelog/23713.txt @@ -0,0 +1,3 @@ +```release-note:improvement +tls: Allow setting the `tls_min_version` field to `"tls13"` +``` diff --git a/helper/tlsutil/config.go b/helper/tlsutil/config.go index 9c57b9a33..37bb5aefe 100644 --- a/helper/tlsutil/config.go +++ b/helper/tlsutil/config.go @@ -22,6 +22,7 @@ var supportedTLSVersions = map[string]uint16{ "tls10": tls.VersionTLS10, "tls11": tls.VersionTLS11, "tls12": tls.VersionTLS12, + "tls13": tls.VersionTLS13, } // supportedTLSCiphers are the complete list of TLS ciphers supported by Nomad diff --git a/helper/tlsutil/config_test.go b/helper/tlsutil/config_test.go index e67f1adaf..b99dde686 100644 --- a/helper/tlsutil/config_test.go +++ b/helper/tlsutil/config_test.go @@ -949,9 +949,7 @@ func TestConfig_ParseMinVersion_Invalid(t *testing.T) { require := require.New(t) - invalidVersions := []string{"tls13", - "tls15", - } + invalidVersions := []string{"ssl3", "tls14", "tls15"} for _, version := range invalidVersions { parsedVersion, err := ParseMinVersion(version) diff --git a/nomad/structs/config/tls.go b/nomad/structs/config/tls.go index 3ae147616..f2e27bfa0 100644 --- a/nomad/structs/config/tls.go +++ b/nomad/structs/config/tls.go @@ -64,7 +64,7 @@ type TLSConfig struct { TLSCipherSuites string `hcl:"tls_cipher_suites"` // TLSMinVersion is used to set the minimum TLS version used for TLS - // connections. Should be either "tls10", "tls11", or "tls12". + // connections. Should be either "tls10", "tls11", "tls12", "tls13". TLSMinVersion string `hcl:"tls_min_version"` // TLSPreferServerCipherSuites controls whether the server selects the diff --git a/website/content/docs/configuration/tls.mdx b/website/content/docs/configuration/tls.mdx index 4957e5bed..8d88678fa 100644 --- a/website/content/docs/configuration/tls.mdx +++ b/website/content/docs/configuration/tls.mdx @@ -73,10 +73,15 @@ the [Enable TLS Encryption for Nomad Tutorial](/nomad/tutorials/transport-securi TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 and TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. + Nomad does not accept explicit ciphersuite configuration when for TLS 1.3 + because the Go team has already designated a select set of ciphers that align + with the broadly-accepted Mozilla Security/Server Side TLS guidance for + [modern TLS configuration][modern-tls]. + ~> **Warning:** the use of insecure cipher suites such as TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, and TLS_RSA_WITH_AES_128_CBC_SHA256 is now unsupported. - `tls_min_version` `(string: "tls12")`- Specifies the minimum supported version - of TLS. Accepted values are "tls10", "tls11", "tls12". + of TLS. Accepted values are "tls10", "tls11", "tls12", "tls13". - `tls_prefer_server_cipher_suites` `(bool: false)` - Specifies whether TLS connections should prefer the server's ciphersuites over the client's. @@ -129,3 +134,4 @@ connections will be closed. This process works when upgrading to TLS, downgrading from it, as well as rolling certificates. [raft]: https://github.com/hashicorp/serf 'Serf by HashiCorp' +[modern-tls]: https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility