Open pantaoran opened 7 months ago
Thank you for reporting an issue!
Pinging @EricWittmann to respond or triage.
This is certainly not possible today at the application level, but usually, Apicurio Registry is deployed on a platform like Openshift, where TLS versions are not only enabled/disabled at the router level but the minimum version for the modern profile is 1.3, so it's up to your configuration to change that situation. If we're talking about deploying the application in bare metal, that is a different history, but I can anticipate that implementing such a feature would have low priority on our side (although we're always open to contributions!).
Feature or Problem Description
When running Apicurio in my enterprise environment, it needs to pass a pentest. They will check that no SSL/TLS versions are used which are considered insecure, so anything below TLSv1.2 is out.
Proposed Solution
I would like to have the option to configure Apicurio so that only TLSv1.2 and TLSv1.3 are offered to clients connecting to either API or GUI. Additionally, I would like to restrict the available cipher suites, analagously to the Kafka setting
ssl.cipher.suites
.I didn't find anything in the docs, so I assume that this is not possible today, but I would be happy to be proven wrong :-)