search

Apicurio / apicurio-registry

An API/Schema registry - stores APIs and Schemas.
https://www.apicur.io/registry/
Apache License 2.0
560 stars 251 forks source link

Restrict cipher suites and TLS protocol versions #4017

Open pantaoran opened 7 months ago

pantaoran commented 7 months ago

Feature or Problem Description

When running Apicurio in my enterprise environment, it needs to pass a pentest. They will check that no SSL/TLS versions are used which are considered insecure, so anything below TLSv1.2 is out.

Proposed Solution

I would like to have the option to configure Apicurio so that only TLSv1.2 and TLSv1.3 are offered to clients connecting to either API or GUI. Additionally, I would like to restrict the available cipher suites, analagously to the Kafka setting ssl.cipher.suites.

I didn't find anything in the docs, so I assume that this is not possible today, but I would be happy to be proven wrong :-)

apicurio-bot[bot] commented 7 months ago

Thank you for reporting an issue!

Pinging @EricWittmann to respond or triage.

carlesarnal commented 7 months ago

This is certainly not possible today at the application level, but usually, Apicurio Registry is deployed on a platform like Openshift, where TLS versions are not only enabled/disabled at the router level but the minimum version for the modern profile is 1.3, so it's up to your configuration to change that situation. If we're talking about deploying the application in bare metal, that is a different history, but I can anticipate that implementing such a feature would have low priority on our side (although we're always open to contributions!).