Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove pre-tls1.2 tracking code from Boulder #7710

Closed
mcpherrinm opened this issue Sep 13, 2024 · 0 comments · Fixed by #7711
Closed

Remove pre-tls1.2 tracking code from Boulder #7710

mcpherrinm opened this issue Sep 13, 2024 · 0 comments · Fixed by #7711
Assignees

Comments

@mcpherrinm
Copy link
Contributor

mcpherrinm commented Sep 13, 2024

as of https://community.letsencrypt.org/t/rejecting-tls-1-0-1-1-for-inbound-acme-connections/176107/4?u=mcpherrinm, the incoming LBs no longer support 1.0 / 1.1, so we can remove the code in Boulder which looks for and rejects these requests:

https://github.com/letsencrypt/boulder/blob/main/wfe2/wfe.go#L288-L292
https://github.com/letsencrypt/boulder/blob/main/wfe2/wfe_test.go#L3790-L3803

aarongable pushed a commit that referenced this issue Oct 1, 2024
The Boulder WFE accepts incoming connections (from our load balancers)
via either TLS or plain HTTP. When those connections are made over TLS,
it already enforces that the client be using TLS 1.3 or above. When those
connections are made over plain HTTP, the load balancer includes the TLS
version as a header, and Boulder was performing filtering based on that.

Our load balancers are now configured to reject older TLS versions, so we
can remove this check.

Fixes #7710
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants