You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The Boulder WFE accepts incoming connections (from our load balancers)
via either TLS or plain HTTP. When those connections are made over TLS,
it already enforces that the client be using TLS 1.3 or above. When those
connections are made over plain HTTP, the load balancer includes the TLS
version as a header, and Boulder was performing filtering based on that.
Our load balancers are now configured to reject older TLS versions, so we
can remove this check.
Fixes#7710
as of https://community.letsencrypt.org/t/rejecting-tls-1-0-1-1-for-inbound-acme-connections/176107/4?u=mcpherrinm, the incoming LBs no longer support 1.0 / 1.1, so we can remove the code in Boulder which looks for and rejects these requests:
https://github.com/letsencrypt/boulder/blob/main/wfe2/wfe.go#L288-L292
https://github.com/letsencrypt/boulder/blob/main/wfe2/wfe_test.go#L3790-L3803
The text was updated successfully, but these errors were encountered: