Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SECURITY] Remove OTLP HTTP support for TLS 1.0 and TLS 1.1, require TLS 1.2 or better #2721

Open
marcalff opened this issue Jun 27, 2024 · 1 comment · May be fixed by #2722
Open

[SECURITY] Remove OTLP HTTP support for TLS 1.0 and TLS 1.1, require TLS 1.2 or better #2721

marcalff opened this issue Jun 27, 2024 · 1 comment · May be fixed by #2722
Assignees
@marcalff
Labels
bug Something isn't working removal Removal triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@marcalff
Copy link
Member

marcalff commented Jun 27, 2024
edited
Loading

Per the following RFC: https://www.ietf.org/rfc/rfc8996.html

TLS 1.0 MUST NOT be used. Negotiation of TLS 1.0 from any version of TLS MUST NOT be permitted.

TLS 1.1 MUST NOT be used. Negotiation of TLS 1.1 from any version of TLS MUST NOT be permitted.

In the OTLP HTTP exporter,

  • Remove min_TLS and max_TLS options support for TLS 1.0 and TLS 1.1.
  • Require TLS 1.2 or better
@marcalff marcalff added bug Something isn't working removal Removal labels Jun 27, 2024
@github-actions github-actions bot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Jun 27, 2024
@marcalff marcalff pinned this issue Jun 27, 2024
marcalff added a commit to marcalff/opentelemetry-cpp that referenced this issue Jun 27, 2024
@marcalff
Fixes open-telemetry#2721
489c0c0
@marcalff marcalff linked a pull request Jun 27, 2024 that will close this issue
Open
3 tasks
@marcalff marcalff self-assigned this Jun 27, 2024
@marcalff marcalff changed the title [SECURITY] Remove TLS 1.0 and TLS 1.1 [SECURITY] Remove exporter options for TLS 1.0 and TLS 1.1 Jun 27, 2024
@marcalff marcalff changed the title [SECURITY] Remove exporter options for TLS 1.0 and TLS 1.1 [SECURITY] Remove OTLP HTTP support for TLS 1.0 and TLS 1.1, require TLS 1.2 or better Jun 27, 2024
@marcalff
Copy link
Member Author

marcalff commented Jun 27, 2024
edited
Loading

Note that this issue proposes to go strait to removal of TLS 1.0 and 1.1, without announcing deprecation in opentelemetry-cpp.

Per: https://en.wikipedia.org/wiki/Transport_Layer_Security#History_and_development
TLS 1.0 and TLS 1.1 have been deprecated since 2021, in https://www.ietf.org/rfc/rfc8996.html

The RFC 8996 serves as a deprecation notice, and everybody should be well aware by now.

In practice, this should not be an issue.

A system that in theory:

will be very hard to find.

Any endpoint that supports OTLP HTTP and supports SSL is expected to support TLS 1.2 already, hence the hard and abrupt removal of TLS 1.0 and TLS 1.1, for security reasons.

@marcalff marcalff added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Jul 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marcalff marcalff

Labels
bug Something isn't working removal Removal triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
No milestone
1 participant
@marcalff