[stork-users] Disable unwanted TLS version
Slawek Figiel
slawek at isc.org
Thu Oct 12 14:21:05 UTC 2023
Hello Roland!
Could you provide more details?
Stork agent communicates with other services using the various protocols:
- It is an HTTP server that shares the Prometheus metrics. It is done
over HTTP protocol. There is no way to use TLS in the Stork agent. You
can do it using the reverse proxy.
- It is an HTTP client when it sends requests to the Stork agent. The
minimal accepted TLS version is 1.2.
- It is an HTTP client when it sends requests to the Kea Control Agent.
The minimal accepted TLS version is 1.2.
- It acts as a GRPC server. It accepts only the connections from the
Stork server. It always uses TLS. The minimum accepted TLS version is 1.0.
So, I suppose you mean the GRPC connection. Fortunately, the Stork
server always makes the GRPC calls with minimal TLS version sets to 1.2.
The Stork agent doesn't accept requests from any other sender.
Therefore, in practice, the data will always be exchanged over TLS 1.2
or higher.
I think we can just increase the minimum TLS version accepted by Stork
agent when it acts as the GRPC server.
I described this proposal in:
https://gitlab.isc.org/isc-projects/stork/-/issues/1197
Best regards,
Slawek
On 12/10/2023 15:58, DDFR | Ronald Blaas wrote:
> Hi all,
>
> Does anyone know if it is possible to disable old /unwanted tls/ssl
> protocols?
>
> We are running various scanners on out system and the stork agent is
> apparently anwsering to tls 1.0 / 1.1
>
> Could not find this in the manual
>
> regards,
>
> Ronald
>
More information about the Stork-users
mailing list