Bug 1823852: pkg/server: disable weak TLS versions #1649
Conversation
Coming from an user request but it makes sense as we (OpenShift) use and control that port. Signed-off-by: Antonio Murdaca <[email protected]>
openshift-ci-robot
added
the
bugzilla/valid-bug
|
@runcom: This pull request references Bugzilla bug 1823852, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
runcom
added
the
do-not-merge/hold
openshift-ci-robot
added
the
approved
|
@runcom: This pull request references Bugzilla bug 1823852, which is valid. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/cherry-pick release-4.4 |
|
@runcom: once the present PR merges, I will cherry-pick it on top of release-4.4 in a new PR and assign it to you. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/cherry-pick release-4.3 |
|
@runcom: once the present PR merges, I will cherry-pick it on top of release-4.3 in a new PR and assign it to you. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/retest |
|
/retest |
|
@runcom: The
Use In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/retest |
|
/retest |
|
/skip |
|
/hold cancel |
openshift-ci-robot
removed
the
do-not-merge/hold
|
This is good to go now, ptal |
Co-Authored-By: Colin Walters <[email protected]> Signed-off-by: Antonio Murdaca <[email protected]>
The only thing hitting this endpoint now should be CoreOS; so the minimum version here is really "maximum TLS supported by CoreOS". I suspect in fact we could bump it up to 1.3. Although, I guess more precisely it's "maximum TLS supported by RHCOS 4.1...since we don't update bootimages yet. |
awesome, that was my impression as well: since we control the other side of the connection, we can safely assume those are going to be the only proto to be used. Anyway, since TLS 1.2 doesn't seem to be an issue, what if we stick with that? or do you feel strong about moving to 1.3? |
|
from all the e2e tests failing tho, I'm not sure if we can do this lol will keep checking. |
|
/skip |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ashcrow, runcom, sinnykumari The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/retest |
|
/refresh |
1 similar comment
|
/refresh |
|
/retest e2e-aws |
|
@runcom: The
Use In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/test e2e-aws |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/refresh |
|
/test e2e-aws |
|
/retest |
|
/refresh |
|
/retest |
|
PR seems to be hitting a lot of prometheus related erors in e2e-aws.. are these flakes/known bugs? |
|
/refresh |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
1 similar comment
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
@runcom: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
1 similar comment
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
@runcom: All pull requests linked via external trackers have merged: openshift/machine-config-operator#1649. Bugzilla bug 1823852 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@runcom: new pull request created: #1680 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@runcom: new pull request created: #1681 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Coming from an user request but it makes sense as we (OpenShift) use and control
that port.
It's not fully clear to me if we can drop tls < 1.2 but I'm leaning toward so for security reasons
Signed-off-by: Antonio Murdaca [email protected]
@cgwalters also ptal