Support for TLS v1.3 (#5133)

* feat: adds support for TLSv1.3 Signed-off-by: Kajetan Nobel <kajetan.nobel@eliatra.com> * feat: update changelog Signed-off-by: Kajetan Nobel <kajetan.nobel@eliatra.com> --------- Signed-off-by: Kajetan Nobel <kajetan.nobel@eliatra.com>
opensearch-project · Oct 12, 2023 · f28b729 · f28b729
1 parent 39d6828
commit f28b729
Show file tree

Hide file tree

Showing 6 changed files with 27 additions and 11 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -19,6 +19,7 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 - [CVE-2019-11358] Bump version of tinygradient from 0.4.3 to 1.1.5 ([#4742](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/4742))
 - [CVE-2021-3520] Bump `lmdb` from `2.8.0` to `2.8.5` ([#4804](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/4804))
 - Remove examples and other unwanted artifacts from installed dependencies ([#4896](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/4896))
+- Add support for TLS v1.3 ([#5133](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/5133))
 
 ### 📈 Features/Enhancements
 

diff --git a/src/core/server/core_usage_data/core_usage_data_service.mock.ts b/src/core/server/core_usage_data/core_usage_data_service.mock.ts
@@ -105,7 +105,7 @@ const createStartContractMock = () => {
               keyConfigured: false,
               keystoreConfigured: false,
               redirectHttpFromPortConfigured: false,
-              supportedProtocols: ['TLSv1.1', 'TLSv1.2'],
+              supportedProtocols: ['TLSv1.1', 'TLSv1.2', 'TLSv1.3'],
               truststoreConfigured: false,
             },
             xsrf: {

diff --git a/src/core/server/core_usage_data/core_usage_data_service.test.ts b/src/core/server/core_usage_data/core_usage_data_service.test.ts
@@ -163,6 +163,7 @@ describe('CoreUsageDataService', () => {
                   "supportedProtocols": Array [
                     "TLSv1.1",
                     "TLSv1.2",
+                    "TLSv1.3",
                   ],
                   "truststoreConfigured": false,
                 },

diff --git a/src/core/server/http/__snapshots__/http_config.test.ts.snap b/src/core/server/http/__snapshots__/http_config.test.ts.snap
diff --git a/src/core/server/http/ssl_config.test.ts b/src/core/server/http/ssl_config.test.ts
@@ -277,14 +277,19 @@ describe('#sslSchema', () => {
         certificate: '/path/to/certificate',
         enabled: true,
         key: '/path/to/key',
-        supportedProtocols: ['TLSv1', 'TLSv1.1', 'TLSv1.2'],
+        supportedProtocols: ['TLSv1', 'TLSv1.1', 'TLSv1.2', 'TLSv1.3'],
       };
 
       const singleKnownProtocolConfig = sslSchema.validate(singleKnownProtocol);
       expect(singleKnownProtocolConfig.supportedProtocols).toEqual(['TLSv1']);
 
       const allKnownProtocolsConfig = sslSchema.validate(allKnownProtocols);
-      expect(allKnownProtocolsConfig.supportedProtocols).toEqual(['TLSv1', 'TLSv1.1', 'TLSv1.2']);
+      expect(allKnownProtocolsConfig.supportedProtocols).toEqual([
+        'TLSv1',
+        'TLSv1.1',
+        'TLSv1.2',
+        'TLSv1.3',
+      ]);
     });
 
     test('rejects unknown protocols`', () => {
@@ -299,21 +304,23 @@ describe('#sslSchema', () => {
         certificate: '/path/to/certificate',
         enabled: true,
         key: '/path/to/key',
-        supportedProtocols: ['TLSv1', 'TLSv1.1', 'TLSv1.2', 'SOMEv100500'],
+        supportedProtocols: ['TLSv1', 'TLSv1.1', 'TLSv1.2', 'TLSv1.3', 'SOMEv100500'],
       };
 
       expect(() => sslSchema.validate(singleUnknownProtocol)).toThrowErrorMatchingInlineSnapshot(`
 "[supportedProtocols.0]: types that failed validation:
 - [supportedProtocols.0.0]: expected value to equal [TLSv1]
 - [supportedProtocols.0.1]: expected value to equal [TLSv1.1]
-- [supportedProtocols.0.2]: expected value to equal [TLSv1.2]"
+- [supportedProtocols.0.2]: expected value to equal [TLSv1.2]
+- [supportedProtocols.0.3]: expected value to equal [TLSv1.3]"
 `);
       expect(() => sslSchema.validate(allKnownWithOneUnknownProtocols))
         .toThrowErrorMatchingInlineSnapshot(`
-"[supportedProtocols.3]: types that failed validation:
-- [supportedProtocols.3.0]: expected value to equal [TLSv1]
-- [supportedProtocols.3.1]: expected value to equal [TLSv1.1]
-- [supportedProtocols.3.2]: expected value to equal [TLSv1.2]"
+"[supportedProtocols.4]: types that failed validation:
+- [supportedProtocols.4.0]: expected value to equal [TLSv1]
+- [supportedProtocols.4.1]: expected value to equal [TLSv1.1]
+- [supportedProtocols.4.2]: expected value to equal [TLSv1.2]
+- [supportedProtocols.4.3]: expected value to equal [TLSv1.3]"
 `);
     });
   });

diff --git a/src/core/server/http/ssl_config.ts b/src/core/server/http/ssl_config.ts
@@ -41,6 +41,7 @@ const protocolMap = new Map<string, number>([
   ['TLSv1', cryptoConstants.SSL_OP_NO_TLSv1],
   ['TLSv1.1', cryptoConstants.SSL_OP_NO_TLSv1_1],
   ['TLSv1.2', cryptoConstants.SSL_OP_NO_TLSv1_2],
+  ['TLSv1.3', cryptoConstants.SSL_OP_NO_TLSv1_3],
 ]);
 
 export const sslSchema = schema.object(
@@ -67,8 +68,13 @@ export const sslSchema = schema.object(
     }),
     redirectHttpFromPort: schema.maybe(schema.number()),
     supportedProtocols: schema.arrayOf(
-      schema.oneOf([schema.literal('TLSv1'), schema.literal('TLSv1.1'), schema.literal('TLSv1.2')]),
-      { defaultValue: ['TLSv1.1', 'TLSv1.2'], minSize: 1 }
+      schema.oneOf([
+        schema.literal('TLSv1'),
+        schema.literal('TLSv1.1'),
+        schema.literal('TLSv1.2'),
+        schema.literal('TLSv1.3'),
+      ]),
+      { defaultValue: ['TLSv1.1', 'TLSv1.2', 'TLSv1.3'], minSize: 1 }
     ),
     clientAuthentication: schema.oneOf(
       [schema.literal('none'), schema.literal('optional'), schema.literal('required')],