Re: [keycloak-dev] PR review request: Improve TLS settings for proxy listener

Tuesday, 26 November 2019

The change seems sensible to me. I've seen many companies that want to
restrict TLS version or ciphers used in their services.

Is there any chance to refactor the PR to use whatever latest/greatest
provided by default in Go when there's no explicit configuration of this?
I'm trying to find a way to minimize the impact of forgetting to align with
the latest changes in Go.

On Tue, Nov 26, 2019 at 1:08 PM Bruno Oliveira <bruno(a)abstractj.org&gt; wrote:

...
 The following PR
 (https://github.com/keycloak/keycloak-gatekeeper/pull/449) is inspired
 by the idea of achieving higher scores on SSL Labs
 (https://blog.bracebin.com/achieving-perfect-ssl-labs-score-with-go).

 Even though I believe it's great to get high scores on SSL Labs, I can
 see some cons about this change:

 1. ParseTLS() function needs to be updated for every new Golang
 version (

https://github.com/keycloak/keycloak-gatekeeper/pull/449/files#diff-b4bda...
 )

 2. We shouldn't support TLS 1.0, TLS 1.1
 3. There's a chance that SSLv3 will be removed in Go 1.14
 (https://github.com/golang/go/issues/32716)

 If we believe that's our desire to move forward with the idea behind
 this PR, probably some updates will be required. Anyways, feel free to
 comment on that.

 --
 - abstractj
 _______________________________________________
 keycloak-dev mailing list
 keycloak-dev(a)lists.jboss.org
 https://lists.jboss.org/mailman/listinfo/keycloak-dev

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

Re: [keycloak-dev] PR review request: Improve TLS settings for proxy listener