Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable TLSv1.0 by default #36021

Closed
3 tasks done
jaymode opened this issue Nov 28, 2018 · 2 comments
Closed
3 tasks done

Disable TLSv1.0 by default #36021

jaymode opened this issue Nov 28, 2018 · 2 comments
Assignees
@tvernum
Labels
>enhancement :Security/TLS SSL/TLS, Certificates

Comments

@jaymode
Copy link
Member

jaymode commented Nov 28, 2018
edited by tvernum
Loading

TLSv1.0 is an older protocol that has known security issues. Given the age of this protocol and support for TLSv1.1 and TLSv1.2, we should disable TLSv1.0 by default. A user will still be able to enable TLSv1.0 if they have a need for this.

As part of this, in 6.x we need to provide a deprecation warning when a connection is made with the TLSv1.0 protocol.

Tasks
@jaymode jaymode added >enhancement :Security/TLS SSL/TLS, Certificates labels Nov 28, 2018
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security

@tvernum tvernum self-assigned this Jan 16, 2019
tvernum added a commit to tvernum/elasticsearch that referenced this issue Jan 16, 2019
@tvernum
Remove TLS 1.0 as a default SSL protocol
335b4c0 
The default value for ssl.supported_protocols no longer includes TLSv1
as this is an old protocol with known security issues.
Administrators can enable TLSv1.0 support by configuring the
appropriate `ssl.supported_protocols` setting, for example:

xpack.security.http.ssl.supported_protocols: ["TLSv1.2","TLSv1.1","TLSv1"]

Relates: elastic#36021
@tvernum tvernum mentioned this issue Jan 16, 2019
Merged
tvernum added a commit that referenced this issue Jan 25, 2019
@tvernum
Remove TLS 1.0 as a default SSL protocol (#37512)
03690d1 
The default value for ssl.supported_protocols no longer includes TLSv1
as this is an old protocol with known security issues.
Administrators can enable TLSv1.0 support by configuring the
appropriate `ssl.supported_protocols` setting, for example:

xpack.security.http.ssl.supported_protocols: ["TLSv1.2","TLSv1.1","TLSv1"]

Relates: #36021
@tvernum
Copy link
Contributor

tvernum commented Feb 13, 2019

Resolved in #37512, #37788, #37793

@tvernum tvernum closed this as completed Feb 13, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tvernum tvernum

Labels
>enhancement :Security/TLS SSL/TLS, Certificates
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tvernum @jaymode @elasticmachine