Skip to content

ROX-33255: Allow TLS 1.0/1.1 in tlsprofile#19652

Merged
vladbologa merged 1 commit intomasterfrom
vb/support-legacy-tls
Mar 30, 2026
Merged

ROX-33255: Allow TLS 1.0/1.1 in tlsprofile#19652
vladbologa merged 1 commit intomasterfrom
vb/support-legacy-tls

Conversation

@vladbologa
Copy link
Copy Markdown
Contributor

@vladbologa vladbologa commented Mar 27, 2026
edited
Loading

Description

When implementing the configurable TLS profiles for Go-based Stackrox applications, I chose to reject minimum TLS versions lower than 1.2, to not allow decreasing the Stackrox security posture from the previous hardcoded defaults.

Here I am revisiting that decision. With the upcoming OpenShift cluster-wide TLS profile support (ROX-33336), a cluster admin can configure the Old TLS profile with StrictAllComponents adherence, which requires TLS 1.0. To be compliant, we should accept also these settings. Moreover, PostgreSQL components already accept TLS 1.0/1.1 (they use the literal settings provided to them - see #19160), which would cause an inconsistency in behavior between Stackrox services.

The defaults remain unchanged: TLS 1.2 minimum with AES-256 preferred ciphers. TLS 1.0/1.1 is only used when explicitly requested.

User-facing documentation

Testing and quality

  • the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
  • CI results are inspected

Automated testing

  • added unit tests
  • added e2e tests
  • added regression tests
  • added compatibility tests
  • modified existing tests

How I validated my change

CI is sufficient

@rhacs-bot
Copy link
Copy Markdown
Contributor

rhacs-bot commented Mar 27, 2026

Images are ready for the commit at 176b313.

To use with deploy scripts, first export MAIN_IMAGE_TAG=4.11.x-465-g176b3138d2.

@vladbologa vladbologa requested review from a team and porridge and removed request for a team March 27, 2026 12:03
@codecov
Copy link
Copy Markdown

codecov bot commented Mar 27, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 49.37%. Comparing base (804901c) to head (176b313).
⚠️ Report is 23 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #19652      +/-   ##
==========================================
+ Coverage   49.34%   49.37%   +0.03%     
==========================================
  Files        2742     2742              
  Lines      206953   206953              
==========================================
+ Hits       102126   102190      +64     
+ Misses      97231    97181      -50     
+ Partials     7596     7582      -14
Flag Coverage Δ
go-unit-tests 49.37% <ø> (+0.03%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

GrimmiMeloni
GrimmiMeloni approved these changes Mar 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@GrimmiMeloni GrimmiMeloni left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@vladbologa vladbologa mentioned this pull request Mar 30, 2026
Open
9 tasks
@vladbologa vladbologa merged commit a90efa3 into master Mar 30, 2026
121 checks passed
@vladbologa vladbologa deleted the vb/support-legacy-tls branch March 30, 2026 18:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@porridge porridge Awaiting requested review from porridge porridge was automatically assigned from stackrox/install

@GrimmiMeloni GrimmiMeloni Awaiting requested review from GrimmiMeloni

@mclasmeier mclasmeier Awaiting requested review from mclasmeier

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@vladbologa @rhacs-bot @GrimmiMeloni