search

elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.76k stars 8.17k forks source link

Remove TLSv1.1 from default set of supported protocols #184756

Open legrego opened 4 months ago

legrego commented 4 months ago

Part of https://github.com/elastic/kibana/issues/133575

While this is not technically a breaking change, we would like to wait for the 9.0 release to reduce the change of unexpected upgrade failures in a minor release. Marking as blocked until we have a branch for 9.0.

TLSv1.1 has been deprecated for some time, and all of Kibana's supported browsers also support TLSv1.2 or better. We should remove this protocol from our default configuration, but still allow administrators to turn this back on via the existing server.ssl.supportedProtocols if they need the legacy behavior.

### Tasks
- [ ] Remove `TLSv1.1` from our [default set of supported protocols](https://github.com/elastic/kibana/blob/c89ee65c7034ba26006e2d426156a6de11b3505f/packages/kbn-server-http-tools/src/ssl/ssl_config.ts#L54)
- [ ] Update the documentation for `server.ssl.supportedProtocols` accordingly.
- [ ] We should change the documentation for [server.ssl.supportedProtocols](https://www.elastic.co/guide/en/kibana/8.3/settings.html#server-ssl-supportedProtocols) to mention that enabling TLS 1.1 (for example) would also require setting the `--tls-min-1.1` option in the `node.options` configuration file as described in https://github.com/elastic/kibana/issues/133575. In other words, both that and the `server.ssl.supportedProtocols` setting must match.
- [ ] Add a release note describing this change
- [ ] Create a KB article describing this change
elasticmachine commented 4 months ago

Pinging @elastic/kibana-security (Team:Security)

legrego commented 4 months ago

cc @lukeelmers as discussed