Skip to content

Registry - make minimum TLS version user configurable #2808

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jan 14, 2019
Merged

Registry - make minimum TLS version user configurable #2808

merged 1 commit into from
Jan 14, 2019

Conversation

gregrebholz
Copy link
Contributor

Closes #2807 to allow users to configure the minimum allowable TLS version for Registry. Usage is via config.yml:

http:
  tls:
    minimumtls: tls1.2

An omitted or unrecognized string results in the same TLS1.0 support we have today, and allowed strings are in the updated docs - "tls1.0", "tls1.1", "tls1.2".

@GordonTheTurtle
Copy link

Please sign your commits following these rules:
https://github.com/moby/moby/blob/master/CONTRIBUTING.md#sign-your-work
The easiest way to do this is to amend the last commit:

$ git clone -b "feat/tls1.2only" git@github.com:gregrebholz/distribution.git somewhere
$ cd somewhere
$ git commit --amend -s --no-edit
$ git push -f

Amending updates the existing PR. You DO NOT need to open a new one.

@gregrebholz gregrebholz force-pushed the feat/tls1.2only branch 2 times, most recently from eda14be to ee886ec Compare January 9, 2019 20:52
@codecov
Copy link

codecov bot commented Jan 9, 2019
edited
Loading

Codecov Report

Merging #2808 into master will decrease coverage by 0.1%.
The diff coverage is 0%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #2808      +/-   ##
==========================================
- Coverage   60.25%   60.15%   -0.11%     
==========================================
  Files         103      103              
  Lines        8024     8038      +14     
==========================================
  Hits         4835     4835              
- Misses       2546     2560      +14     
  Partials      643      643
Flag Coverage Δ
#linux 60.15% <0%> (-0.11%) ⬇️
Impacted Files Coverage Δ
configuration/configuration.go 65.59% <ø> (ø) ⬆️
registry/registry.go 32% <0%> (-2.13%) ⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 91b0f05...cdb62b2. Read the comment docs.

manishtomar
manishtomar suggested changes Jan 10, 2019
View reviewed changes
Copy link
Contributor

@manishtomar manishtomar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Kindly add a warning.

@caervs caervs mentioned this pull request Jan 10, 2019
Closed
@gregrebholz gregrebholz force-pushed the feat/tls1.2only branch 2 times, most recently from 236fd51 to 111da2b Compare January 10, 2019 07:40
caervs
caervs suggested changes Jan 11, 2019
View reviewed changes
Copy link
Contributor

@caervs caervs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Otherwise LGTM

@gregrebholz
Registry - make minimum TLS version user configurable
cdb62b2 
Signed-off-by: J. Gregory Rebholz <gregrebholz@gmail.com>
caervs
caervs approved these changes Jan 13, 2019
View reviewed changes
Copy link
Contributor

@caervs caervs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@caervs caervs merged commit b1fd12d into distribution:master Jan 14, 2019
@gregrebholz gregrebholz deleted the feat/tls1.2only branch January 15, 2019 01:29
@gaby
Copy link

gaby commented Jan 22, 2021

@caervs @manishtomar @gregrebholz It seems lile even though these changes were merged over a year ago, they never got released.

Can someone please look into this? Having TLS1.0 as default in 2021 is a big no.

Thanks!

@gaby gaby mentioned this pull request Jan 24, 2021
Closed
@mtucker502
Copy link

What version are you using? I see this change was included in release v2.7.1

@thaJeztah
Copy link
Member

Don't think it's in v2.7.1; https://github.com/distribution/distribution/blob/v2.7.1/configuration/configuration.go#L107-L114

@mtucker502
Copy link

You're right. Looks like they didn't include latest master when they released 2.7.1. That's unfortunate.

Also, no new releases in 2.5 years.

@thaJeztah
Copy link
Member

Looks like they didn't include latest master when they released 2.7.1. That's unfortunate.

Yes, but that's expected; this project uses release branches for releases, and specific bug fixes are cherry-picked to those branches (master/main is used for "release X + 1" (which could be next "major" or "minor" release, depending on changes; currently main is targeting v3.0.0)

namnx228 pushed a commit to namnx228/distribution that referenced this pull request Sep 30, 2021
@caervs @namnx228
Merge pull request distribution#2808 from gregrebholz/feat/tls1.2only
c3b5fe1 
Registry - make minimum TLS version user configurable
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
2 more reviewers

@manishtomar manishtomar manishtomar approved these changes

@caervs caervs caervs approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Registry - Allow minimum TLS version to be configurable
7 participants
@gregrebholz @GordonTheTurtle @gaby @mtucker502 @thaJeztah @caervs @manishtomar