Skip to content

Set TLS minimum version to 1.2#12689

Merged
zeripath merged 2 commits into
go-gitea:masterfrom
zeripath:pr-10602-set-tls-minversion
Sep 2, 2020
Merged

Set TLS minimum version to 1.2#12689
zeripath merged 2 commits into
go-gitea:masterfrom
zeripath:pr-10602-set-tls-minversion

Conversation

@zeripath
Copy link
Copy Markdown
Contributor

@zeripath zeripath commented Sep 2, 2020
edited
Loading

Partial of #10602

Changes to TLS

Currently, Gitea allows TLS 1.0 and TLS 1.1 for HTTPS connections. These versions of TLS have long been deprecated due to security vulnerabilities, and are also no longer necessary for wide browser compatibility. The change I propose in this pull request sets TLS 1.2 as the minimum TLS version, with additional support for TLS 1.3.

On SSLLabs, we can see the difference. Before the changes:

Screen Shot 2020-03-04 at 9 46 22 AM

After the changes:

Screen Shot 2020-03-04 at 10 40 38 AM

Closes #10602

Signed-off-by: Andrew Thornton art27@cantab.net

@zeripath
Set TLS minimum version to 1.2
520f86a 
Signed-off-by: Andrew Thornton <art27@cantab.net>
@zeripath zeripath added the topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! label Sep 2, 2020
techknowlogick
techknowlogick approved these changes Sep 2, 2020
View reviewed changes
Copy link
Copy Markdown
Member

@techknowlogick techknowlogick left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for splitting up PR :)

@GiteaBot GiteaBot added the lgtm/need 1 This PR needs approval from one additional maintainer to be merged. label Sep 2, 2020
@techknowlogick techknowlogick added this to the 1.13.0 milestone Sep 2, 2020
6543
6543 reviewed Sep 2, 2020
View reviewed changes
Copy link
Copy Markdown
Member

@6543 6543 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do this is need a opt out? Via app.ini ?

@techknowlogick
Copy link
Copy Markdown
Member

techknowlogick commented Sep 2, 2020

do this is need a opt out?

As there is a way for users to use less secure way (reverse proxy in front of gitea configured with lower TLS version) I'm ok if we don't provide opt-out.

@6543
Copy link
Copy Markdown
Member

6543 commented Sep 2, 2020

yes had that in mind too - just like to have a bit consent :)

6543
6543 approved these changes Sep 2, 2020
View reviewed changes
Copy link
Copy Markdown
Member

@6543 6543 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

go secure :D

@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Sep 2, 2020
@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Sep 2, 2020

Codecov Report

Merging #12689 into master will decrease coverage by 0.00%.
The diff coverage is 0.00%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master   #12689      +/-   ##
==========================================
- Coverage   43.33%   43.33%   -0.01%     
==========================================
  Files         645      645              
  Lines       71526    71527       +1     
==========================================
  Hits        30994    30994              
- Misses      35516    35518       +2     
+ Partials     5016     5015       -1
Impacted Files Coverage Δ
modules/graceful/server.go 47.00% <0.00%> (-0.41%) ⬇️
services/pull/check.go 47.69% <0.00%> (-2.31%) ⬇️
models/error.go 34.81% <0.00%> (-0.52%) ⬇️
services/pull/pull.go 41.57% <0.00%> (-0.47%) ⬇️
models/issue_comment.go 53.75% <0.00%> (-0.16%) ⬇️
modules/sync/unique_queue.go 44.89% <0.00%> (+6.12%) ⬆️
modules/indexer/stats/queue.go 76.47% <0.00%> (+11.76%) ⬆️
modules/indexer/stats/db.go 60.86% <0.00%> (+17.39%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 5fd9f72...fdca89d. Read the comment docs.

@zeripath zeripath merged commit 702e98c into go-gitea:master Sep 2, 2020
@zeripath zeripath deleted the pr-10602-set-tls-minversion branch September 2, 2020 22:40
@lunny lunny added the pr/breaking Merging this PR means builds will break. Needs a description what exactly breaks, and how to fix it! label Sep 3, 2020
@lunny
Copy link
Copy Markdown
Member

lunny commented Sep 3, 2020

This is a breaking change we should mention on release notes.

@lafriks lafriks added the release/highlight Marks a PR as a highlight-worthy change for the release notes. label Sep 3, 2020
@go-gitea go-gitea locked and limited conversation to collaborators Nov 24, 2020
@delvh delvh removed the release/highlight Marks a PR as a highlight-worthy change for the release notes. label Oct 7, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@techknowlogick techknowlogick techknowlogick approved these changes

@6543 6543 6543 approved these changes

Assignees

No one assigned

Labels

lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. pr/breaking Merging this PR means builds will break. Needs a description what exactly breaks, and how to fix it! topic/security Something leaks user information or is otherwise vulnerable. Should be fixed!

Projects

None yet

Milestone

1.13.0

Development

Successfully merging this pull request may close these issues.

8 participants

@zeripath @techknowlogick @6543 @codecov-commenter @lunny @lafriks @GiteaBot @delvh