Removed TLSv1.1 from default set of supported protocols (elastic#203856)

## Summary Removed `TLSv1.1` from default set of supported protocols. ### Checklist - [x] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) ## Release Note Removed `TLSv1.1` from default set of supported protocols __Closes: https://github.com/elastic/kibana/issues/184756__ --------- Co-authored-by: Elastic Machine <[email protected]>
gbamparop · Dec 16, 2024 · a25f195 · a25f195
1 parent 5077e6d
commit a25f195
Show file tree

Hide file tree

Showing 5 changed files with 4 additions and 5 deletions.
diff --git a/docs/setup/settings.asciidoc b/docs/setup/settings.asciidoc
@@ -565,7 +565,9 @@ all http requests to https over the port configured as <<server-port, `server.po
 
 [[server-ssl-supportedProtocols]] `server.ssl.supportedProtocols`::
 An array of supported protocols with versions.
-Valid protocols: `TLSv1`, `TLSv1.1`, `TLSv1.2`, `TLSv1.3`. *Default: TLSv1.1, TLSv1.2, TLSv1.3*
+Valid protocols: `TLSv1`, `TLSv1.1`, `TLSv1.2`, `TLSv1.3`. *Default: TLSv1.2, TLSv1.3*
+Enabling `TLSv1.1` would require both setting the `--tls-min-1.1` option in the `node.options` configuration and adding `TLSv1.1` to `server.ssl.supportedProtocols`.
+`HTTP/2` requires the use of minimum `TLSv1.2` for secure connections.
 
 [[server-uuid]] `server.uuid`::
 The unique identifier for this {kib} instance. It must be a valid UUIDv4. It gets automatically generated on the first startup if not specified and persisted in the `data` path.

diff --git a/packages/core/http/core-http-server-internal/src/__snapshots__/http_config.test.ts.snap b/packages/core/http/core-http-server-internal/src/__snapshots__/http_config.test.ts.snap
diff --git a/packages/core/usage-data/core-usage-data-server-internal/src/core_usage_data_service.test.ts b/packages/core/usage-data/core-usage-data-server-internal/src/core_usage_data_service.test.ts
@@ -355,7 +355,6 @@ describe('CoreUsageDataService', () => {
                   "keystoreConfigured": false,
                   "redirectHttpFromPortConfigured": false,
                   "supportedProtocols": Array [
-                    "TLSv1.1",
                     "TLSv1.2",
                     "TLSv1.3",
                   ],

diff --git a/packages/kbn-health-gateway-server/src/server/server_config.test.ts b/packages/kbn-health-gateway-server/src/server/server_config.test.ts
@@ -56,7 +56,6 @@ describe('server config', () => {
           "enabled": false,
           "keystore": Object {},
           "supportedProtocols": Array [
-            "TLSv1.1",
             "TLSv1.2",
             "TLSv1.3",
           ],

diff --git a/packages/kbn-server-http-tools/src/ssl/ssl_config.ts b/packages/kbn-server-http-tools/src/ssl/ssl_config.ts
@@ -52,7 +52,7 @@ export const sslSchema = schema.object(
         schema.literal(TLS_V1_2),
         schema.literal(TLS_V1_3),
       ]),
-      { defaultValue: [TLS_V1_1, TLS_V1_2, TLS_V1_3], minSize: 1 }
+      { defaultValue: [TLS_V1_2, TLS_V1_3], minSize: 1 }
     ),
     clientAuthentication: schema.oneOf(
       [schema.literal('none'), schema.literal('optional'), schema.literal('required')],