Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TF-8697: Support TLS 1.3 #297

Merged
merged 2 commits into from
Sep 14, 2023
Merged

TF-8697: Support TLS 1.3 #297

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
76b8a47
feat: support tls1.3
sudomateo Sep 13, 2023
a0ef497
Update changelog
sudomateo Sep 14, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions lib/vault/client.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -112,8 +112,8 @@ def pool

@nhp.verify_mode = OpenSSL::SSL::VERIFY_PEER

# Vault requires TLS1.2
@nhp.ssl_version = "TLSv1_2"
# Vault requires at least TLS1.2
@nhp.min_version = OpenSSL::SSL::TLS1_2_VERSION

# Only use secure ciphers
@nhp.ciphers = ssl_ciphers
Expand Down
31 changes: 14 additions & 17 deletions lib/vault/persistent.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,11 +74,11 @@
# #ca_path :: Directory with certificate-authorities
# #cert_store :: An SSL certificate store
# #ciphers :: List of SSl ciphers allowed
# #min_version :: Minimum SSL version to use
# #private_key :: The client's SSL private key
# #reuse_ssl_sessions :: Reuse a previously opened SSL session for a new
# connection
# #ssl_timeout :: SSL session lifetime
# #ssl_version :: Which specific SSL version to use
# #verify_callback :: For server certificate verification
# #verify_depth :: Depth of certificate verification
# #verify_mode :: How connections should be verified
Expand Down Expand Up @@ -367,6 +367,11 @@ def self.detect_idle_timeout uri, max = 10

attr_reader :name

##
# Minimum SSL version to use.

attr_reader :min_version

##
# Seconds to wait until a connection is opened. See Net::HTTP#open_timeout

Expand Down Expand Up @@ -437,14 +442,6 @@ def self.detect_idle_timeout uri, max = 10

attr_reader :ssl_timeout

##
# SSL version to use.
#
# By default, the version will be negotiated automatically between client
# and server. Ruby 1.9 and newer only.

attr_reader :ssl_version

##
# Where this instance's last-use times live in the thread local variables

Expand Down Expand Up @@ -531,9 +528,9 @@ def initialize name=nil, proxy=nil, pool_size=Vault::Defaults::DEFAULT_POOL_SIZE
@ca_file = nil
@ca_path = nil
@ciphers = nil
@min_version = nil
@private_key = nil
@ssl_timeout = nil
@ssl_version = nil
@verify_callback = nil
@verify_depth = nil
@verify_mode = nil
Expand Down Expand Up @@ -1046,8 +1043,8 @@ def ssl connection
connection.use_ssl = true

connection.ciphers = @ciphers if @ciphers
connection.min_version = @min_version if @min_version
connection.ssl_timeout = @ssl_timeout if @ssl_timeout
connection.ssl_version = @ssl_version if @ssl_version

connection.verify_depth = @verify_depth
connection.verify_mode = @verify_mode
Expand Down Expand Up @@ -1101,19 +1098,19 @@ def ssl connection
end

##
# SSL session lifetime
# Minimum SSL version to use

def ssl_timeout= ssl_timeout
@ssl_timeout = ssl_timeout
def min_version= min_version
@min_version = min_version

reconnect_ssl
end

##
# SSL version to use
# SSL session lifetime

def ssl_version= ssl_version
@ssl_version = ssl_version
def ssl_timeout= ssl_timeout
@ssl_timeout = ssl_timeout

reconnect_ssl
end
Expand Down