Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TF-8697: Support TLS 1.3 #297

Merged
merged 2 commits into from
Sep 14, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,12 @@

## v?.??.? (Unreleased)

## v0.18.0 (September 14, 2023)

IMPROVEMENTS

- Added support for TLS v1.3 by replacing `ssl_version` with `min_version`.

## v0.17.0 (May 11, 2022)

IMPROVEMENTS
Expand Down
4 changes: 2 additions & 2 deletions lib/vault/client.rb
Original file line number Diff line number Diff line change
Expand Up @@ -112,8 +112,8 @@ def pool

@nhp.verify_mode = OpenSSL::SSL::VERIFY_PEER

# Vault requires TLS1.2
@nhp.ssl_version = "TLSv1_2"
# Vault requires at least TLS1.2
@nhp.min_version = OpenSSL::SSL::TLS1_2_VERSION

# Only use secure ciphers
@nhp.ciphers = ssl_ciphers
Expand Down
31 changes: 14 additions & 17 deletions lib/vault/persistent.rb
Original file line number Diff line number Diff line change
Expand Up @@ -74,11 +74,11 @@
# #ca_path :: Directory with certificate-authorities
# #cert_store :: An SSL certificate store
# #ciphers :: List of SSl ciphers allowed
# #min_version :: Minimum SSL version to use
# #private_key :: The client's SSL private key
# #reuse_ssl_sessions :: Reuse a previously opened SSL session for a new
# connection
# #ssl_timeout :: SSL session lifetime
# #ssl_version :: Which specific SSL version to use
# #verify_callback :: For server certificate verification
# #verify_depth :: Depth of certificate verification
# #verify_mode :: How connections should be verified
Expand Down Expand Up @@ -367,6 +367,11 @@ def self.detect_idle_timeout uri, max = 10

attr_reader :name

##
# Minimum SSL version to use.

attr_reader :min_version

##
# Seconds to wait until a connection is opened. See Net::HTTP#open_timeout

Expand Down Expand Up @@ -437,14 +442,6 @@ def self.detect_idle_timeout uri, max = 10

attr_reader :ssl_timeout

##
# SSL version to use.
#
# By default, the version will be negotiated automatically between client
# and server. Ruby 1.9 and newer only.

attr_reader :ssl_version

##
# Where this instance's last-use times live in the thread local variables

Expand Down Expand Up @@ -531,9 +528,9 @@ def initialize name=nil, proxy=nil, pool_size=Vault::Defaults::DEFAULT_POOL_SIZE
@ca_file = nil
@ca_path = nil
@ciphers = nil
@min_version = nil
@private_key = nil
@ssl_timeout = nil
@ssl_version = nil
@verify_callback = nil
@verify_depth = nil
@verify_mode = nil
Expand Down Expand Up @@ -1046,8 +1043,8 @@ def ssl connection
connection.use_ssl = true

connection.ciphers = @ciphers if @ciphers
connection.min_version = @min_version if @min_version
connection.ssl_timeout = @ssl_timeout if @ssl_timeout
connection.ssl_version = @ssl_version if @ssl_version

connection.verify_depth = @verify_depth
connection.verify_mode = @verify_mode
Expand Down Expand Up @@ -1101,19 +1098,19 @@ def ssl connection
end

##
# SSL session lifetime
# Minimum SSL version to use

def ssl_timeout= ssl_timeout
@ssl_timeout = ssl_timeout
def min_version= min_version
@min_version = min_version

reconnect_ssl
end

##
# SSL version to use
# SSL session lifetime

def ssl_version= ssl_version
@ssl_version = ssl_version
def ssl_timeout= ssl_timeout
@ssl_timeout = ssl_timeout

reconnect_ssl
end
Expand Down