Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add no_tlsv1_3 to Puma::DSL#ssl_bindings and Puma::MiniSSL::Context #2426

Closed
wants to merge 1 commit into from
Closed

Add no_tlsv1_3 to Puma::DSL#ssl_bindings and Puma::MiniSSL::Context #2426

wants to merge 1 commit into from

Conversation

MSP-Greg
Copy link
Member

Description

Disables TLSv1.3 when front-ends don't support it

Also:

  1. Remove 'no_tls' false query parameters in bind string
  2. Update minissl.c for no_tlsv1_3, whitespace
  3. Add test_tls_v1_3_rejection to test_puma_server_ssl.rb
  4. Add three protocol tests to test_config.rb
  5. extconf.rb - 1.1.0 -> 1.1.1 change (macro to func)

See #1735

Your checklist for this pull request

  • I have reviewed the guidelines for contributing to this repository.
  • I have added an entry to History.md if this PR fixes a bug or adds a feature. If it doesn't need an entry to HISTORY.md, I have added [changelog skip] or [ci skip] to the pull request title.
  • I have added appropriate tests if this PR fixes a bug or adds a feature.
  • My pull request is 100 lines added/removed or less so that it can be easily reviewed.
  • If this PR doesn't need tests (docs change), I added [ci skip] to the title of the PR.
  • If this closes any issues, I have added "Closes #issue" to the PR description or my commit messages.
  • I have updated the documentation accordingly.
  • All new and existing tests passed, including Rubocop.

@MSP-Greg
Add no_tlsv1_3 to Puma::DSL#ssl_bindings and Puma::MiniSSL::Context
dbab8d0 
Disables TLSv1.3 when front-ends don't support it

Also:

1. Remove 'no_tls' false query parameters in bind string
2. Update minissl.c for no_tlsv1_3, whitespace
3. Add test_tls_v1_3_rejection to test_puma_server_ssl.rb
4. Add three protocol tests to test_config.rb
5. extconf.rb - 1.1.0 -> 1.1.1 change (macro to func)
@MSP-Greg MSP-Greg mentioned this pull request Oct 13, 2020
Closed
nateberkopec
nateberkopec reviewed Oct 14, 2020
View reviewed changes
lib/puma/dsl.rb
ca_additions = "&ca=#{opts[:ca]}" if ['peer', 'force_peer'].include?(verify)

if defined?(JRUBY_VERSION)
keystore_additions = "keystore=#{opts[:keystore]}&keystore-pass=#{opts[:keystore_pass]}"
bind "ssl://#{host}:#{port}?cert=#{opts[:cert]}&key=#{opts[:key]}&#{keystore_additions}&verify_mode=#{verify}&no_tlsv1=#{no_tlsv1}&no_tlsv1_1=#{no_tlsv1_1}#{ca_additions}"
bind "ssl://#{host}:#{port}?cert=#{opts[:cert]}&key=#{opts[:key]}&#{keystore_additions}&verify_mode=#{verify}#{tls_str}#{ca_additions}"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've just realized how silly it is that we pass around arguments to bind internally as a string rather than as arguments. File that one away for the future...

nateberkopec
nateberkopec reviewed Oct 14, 2020
View reviewed changes
lib/puma/minissl/context_builder.rb
ctx.no_tlsv1_1 = true if params['no_tlsv1_1'] == 'true'
ctx.no_tlsv1_3 = true if params['no_tlsv1_3'] == 'true'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At what point to we decide there's a more elegant interface here than just disabling individual TLS minor versions? I seem to remember something was discussed a long ways back...

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When we drop support for OpenSSL 1.0.2? 1.1.1 has min/max functions, with 1.0.2 you have to supply a list of allowed protocols.

JFYI, TLSv1.2 came out in 2008, TLSv1.3 in 2018. What we have now will probably work for a few years...

@nateberkopec nateberkopec added the waiting-for-changes Waiting on changes from the requestor label Oct 15, 2020
@MSP-Greg
Copy link
Member Author

Issue #1735 pertained to a problem with load balancers (and hence, a high speed connection to Puma), and the question of whether Puma' downward negotiation from TLSv1.3 to TLSv1.2 slowed things down.

While working on #2519, and also testing locally with WSL2/Ubuntu, I checked the timing of using TLSv1.2 clients with Puma. Timing both with and without the server restricted to TLSv1.2, there was no significant difference.

Hence, closing.

@MSP-Greg MSP-Greg closed this Dec 31, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nateberkopec nateberkopec nateberkopec left review comments

Assignees
No one assigned
Labels
feature ssl waiting-for-changes Waiting on changes from the requestor
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@MSP-Greg @nateberkopec