Skip to content

feat(socket) change LuaSec ssl_protocol default options #103

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
leafo merged 1 commit into from
Mar 3, 2021
Merged

feat(socket) change LuaSec ssl_protocol default options #103

leafo merged 1 commit into from
Mar 3, 2021

Conversation

@jeremymv2
Copy link
Contributor

@jeremymv2 jeremymv2 commented Feb 26, 2021

The underlying LuaSec SSL library allows for setting the encryption protocol
to 'any' [1]. When set as such, the client negotiates the highest
encryption protocol available. This any protocol version setting is
widely in use in the luasec repository [2].

In addition, this change limits the lowest allowable ssl protocol
version to a version not less than TLSv1.1.

In support of the above, the implementation is two-fold:

  • add no_sslv2, no_sslv3, and no_tlsv1 LuaSec options similar to what
    has been done in lua-cassandra [3]
  • set default LuaSec ssl_protocol to 'any' also similar to what has
    been done in lua-cassandra [4]

[1] - https://github.com/brunoos/luasec/blob/711a98b7605ad87b521ba607024947113bc1f527/CHANGELOG#L101
[2] - https://github.com/brunoos/luasec/search?q=protocol+%3D+%22any%22
[3] - thibaultcha/lua-cassandra@b6dff88
[4] - thibaultcha/lua-cassandra@d742d5c

Signed-off-by: Jeremy J. Miller [email protected]

@jeremymv2 jeremymv2 force-pushed the feat/ssl_version_opts branch 10 times, most recently from cd42c1d to 67dcd04 Compare March 2, 2021 15:14
@jeremymv2
Copy link
Contributor Author

jeremymv2 commented Mar 2, 2021

cc: @thibaultcha

feat(socket) change LuaSec ssl_protocol default options
61a1f2c 
The underlying LuaSec SSL library allows for setting the encryption protocol
to 'any' [1]. When set as such, the client negotiates the highest
encryption protocol available. This `any` protocol version setting is
widely in use in the luasec repository [2].

In addition, this change limits the lowest allowable ssl protocol
version to a version not less than TLSv1.1.

In support of the above, the implementation is two-fold:
 - add no_sslv2, no_sslv3, and no_tlsv1 LuaSec options similar to what
   has been done in lua-cassandra [3]
 - set default LuaSec ssl_protocol to 'any' also similar to what has
   been done in lua-cassandra [4]

[1] - https://github.com/brunoos/luasec/blob/711a98b7605ad87b521ba607024947113bc1f527/CHANGELOG#L101
[2] - https://github.com/brunoos/luasec/search?q=protocol+%3D+%22any%22
[3] - thibaultcha/lua-cassandra@b6dff88
[4] - thibaultcha/lua-cassandra@d742d5c

Signed-off-by: Jeremy J. Miller <[email protected]>

disable prefer server ciphers

Signed-off-by: Jeremy J. Miller <[email protected]>
@jeremymv2 jeremymv2 force-pushed the feat/ssl_version_opts branch from 67dcd04 to 61a1f2c Compare March 2, 2021 15:22
@leafo
Copy link
Owner

leafo commented Mar 2, 2021

Looks good to me, thanks for getting the tests working. Tell me if you're good for the merge.

@jeremymv2
Copy link
Contributor Author

jeremymv2 commented Mar 3, 2021
edited
Loading

@leafo

Looks good to me, thanks for getting the tests working. Tell me if you're good for the merge.

I wanted to do some triple checking with a product I'm working on (Kong) and this change. Everything checks out. With this change I can connect to PG9.5 and PG13 instances using TLSV1.1, TLSV1.2 and TLSV1.3 (in PG13).

When trying to connect with TLSv1 or lower you will get:
Error: [PostgreSQL error] failed to retrieve PostgreSQL server_version_num: no protocols available

I think this is ready for a merge. Thank you!

@leafo leafo merged commit a47f39e into leafo:master Mar 3, 2021
@leafo
Copy link
Owner

leafo commented Mar 3, 2021

Thanks for the patch, I'll push out a new versioned number shortly

leafo added a commit that referenced this pull request Mar 3, 2021
@leafo
rebuild moon, fix discrepancy in lua/moon #103
f9631ae
@ghost ghost mentioned this pull request Apr 6, 2021
Merged
fffonion pushed a commit to fffonion/pgmoon that referenced this pull request Feb 16, 2022
@leafo @fffonion
rebuild moon, fix discrepancy in lua/moon leafo#103
71812b7
fffonion added a commit to fffonion/pgmoon that referenced this pull request Feb 16, 2022
@fffonion
rebuild moon, fix discrepancy in lua/moon leafo#103
ddfa0ab
fffonion added a commit to Kong/pgmoon that referenced this pull request Feb 18, 2022
@fffonion
rebuild moon, fix discrepancy in lua/moon leafo#103
96fc9eb
tyler-ball pushed a commit to Kong/pgmoon that referenced this pull request Feb 25, 2022
@fffonion @tyler-ball
rebuild moon, fix discrepancy in lua/moon leafo#103
3cbe7be 
tball: Updating for 1.14 code base
gruceo pushed a commit to Kong/pgmoon that referenced this pull request Jun 29, 2022
@fffonion @gruceo
rebuild moon, fix discrepancy in lua/moon leafo#103
99eb27b 
tball: Updating for 1.14 code base
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jeremymv2 @leafo