mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-11-14 23:31:48 +01:00
Code Issues Projects Releases Wiki Activity

TLS Documentation Changes (#12940)

Browse Source 
* Add note to TLS cipher suite configuration

Ordering is no longer respected and the tls_max_version flag must be
used for this list to be relevant (as TLSv1.3 will ignore the cipher
suite list entirely).

See blog post linked in the docs for more information.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Note that server cipher suite flag is ignored

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add upgrade note about TLS cipher suites

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
This commit is contained in:
Alexander Scheel 2021-11-01 18:14:41 -04:00 committed by GitHub
parent 9701bdf9be
commit 759f94fa6d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 19 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
website/content/docs/configuration/listener/tcp.mdx
View File

@ -133,9 +133,17 @@ default value in the `"/sys/config/ui"` [API endpoint](/api/system/config-ui).
ciphersuites as a comma-separated-list. The list of all available ciphersuites
is available in the [Golang TLS documentation][golang-tls].
~> **Note**: Go only consults this list for TLSv1.2 and earlier; the order of
ciphers is not important. For this parameter to be effective, the
`tls_max_version` property must be set to `tls12` to prevent negotiation of
TLSv1.3, which is not recommended. See the [Go blog post][go-tls-blog] for
more information.
- `tls_prefer_server_cipher_suites` `(string: "false")` Specifies to prefer the
server's ciphersuite over the client ciphersuites.
~> **Warning**: This parameter is deprecated. Setting it has no effect.
- `tls_require_and_verify_client_cert` `(string: "false")` Turns on client
authentication for this listener; the listener will require a presented
client cert that successfully validates against system CAs.
@ -331,3 +339,4 @@ cluster_addr = "https://[2001:1c04:90d:1c00:a00:27ff:fefa:58ec]:8201"
[golang-tls]: https://golang.org/src/crypto/tls/cipher_suites.go
[api-addr]: /docs/configuration#api_addr
[cluster-addr]: /docs/configuration#cluster_addr
[go-tls-blog]: https://go.dev/blog/tls-cipher-suites

10
website/content/docs/upgrading/upgrade-to-1.9.0.mdx
View File

@ -65,3 +65,13 @@ should prepare to [migrate](/docs/commands/operator/migrate) Vault storage to
an Etcd v3 cluster prior to upgrading to Vault 1.10. All storage migrations
should have [backups](/docs/concepts/storage#backing-up-vault-s-persisted-data)
taken prior to migration.
## TLS Cipher Suites Changes
In Vault 1.9, due to changes in Go 1.17, the `tls_prefer_server_cipher_suites`
TCP configuration parameter has been deprecated and its value will be ignored.
Additionally, Go has begun doing automated cipher suite ordering and no longer
respects the order of suites given in `tls_cipher_suites`.
See [this blog post](https://go.dev/blog/tls-cipher-suites) for more information.