vector icon indicating copy to clipboard operation
vector copied to clipboard
verified publisher icon vectordotdev

Set min. TLS version

Open ZCouri opened this issue 3 years ago • 8 comments

A note for the community

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Use Cases

Currently it is not possible to configure Vector to support min TLS protocol version for e.g. http & socket sources. This means that less secure protocol version (TLS1.0 & TLS1.1) would be enabled, which can potentially get flagged by vulnerability & security scans.

The request is to be able to set a minimum TLS protocol version, so that e.g. only TLS1.2+ is enabled for TLS connections.

Attempted Solutions

The min TLS protocol version is not currently possible to set in vector config.

Proposal

I understand that the openssl crate used for vector does have this configuration available for use: https://docs.rs/openssl/latest/openssl/ssl/struct.SslConnectorBuilder.html#method.set_min_proto_version

References

No response

Version

0.20.0

ZCouri avatar Mar 23 '22 17:03 ZCouri

Currently Vector uses mozilla_intermediate SSL acceptor for TLS default settings, which as detailed in this issue https://github.com/sfackler/rust-openssl/issues/1453 disables TLS1.3 by default.

I would suggest following the recommendation on that issue and moving to mozilla_intermediate_v5 https://docs.rs/openssl/0.10.33/openssl/ssl/struct.SslAcceptor.html#method.mozilla_intermediate_v5 which corresponds to the current version of the Mozilla standards.

However this is separate from allowing the user to manually select a minimum TLS version via configuration, so should perhaps be another issue?

fraserdarwent avatar Mar 28 '22 10:03 fraserdarwent

@ZCouri @fraserdarwent @jszwedko Any updates on this? It has been open for close to a year. Deployed vector instances using HTTP Server will fail security compliance checks since they are serving TLS1.0, and TLS1.1

Ideally we should be able to set a minimum TLS version, and possibly limit TLS ciphers to only securs ciphers.

gaby avatar Apr 19 '23 21:04 gaby

Unfortunately, no, there are no updates to this. I agree it is going to quickly become an issue for more people, so I have bumped up the visibility of it here. We would also welcome a PR to move this forward.

bruceg avatar Apr 20 '23 22:04 bruceg

@bruceg I was going to do a PR, but lack Rust skills 😂 I can help with the CUE files though.

I'm also not sure how others are running this and exposing a service with TLS1.0, may as well not run TLS at all.

gaby avatar Apr 20 '23 22:04 gaby

Seems like redhat has some kind of fork of Vector where they changed these values:

https://github.com/ViaQ/vector/pull/119

gaby avatar Apr 21 '23 05:04 gaby

@bruceg PR sent :-)

gaby avatar Apr 21 '23 05:04 gaby

@bruceg @jszwedko Can anything be done about this? There's no reason for Vector to be supporting TLSv1.0, TLSv1.1

I can create the PR again if needed.

gaby avatar May 08 '24 05:05 gaby

@bruceg @jszwedko Can anything be done about this? There's no reason for Vector to be supporting TLSv1.0, TLSv1.1

I can create the PR again if needed.

Hey! Agreed, we just wanted it to be configurable as mentioned on https://github.com/vectordotdev/vector/pull/17191#issuecomment-1520433316. We'd be happy to see a new PR for this!

jszwedko avatar May 08 '24 13:05 jszwedko