[keycloak-dev] PR review request: Improve TLS settings for proxy listener
Bruno Oliveira
bruno at abstractj.org
Tue Nov 26 07:05:47 EST 2019
The following PR
(https://github.com/keycloak/keycloak-gatekeeper/pull/449) is inspired
by the idea of achieving higher scores on SSL Labs
(https://blog.bracebin.com/achieving-perfect-ssl-labs-score-with-go).
Even though I believe it's great to get high scores on SSL Labs, I can
see some cons about this change:
1. ParseTLS() function needs to be updated for every new Golang
version (https://github.com/keycloak/keycloak-gatekeeper/pull/449/files#diff-b4bda758a2aef091432646c354b4dc59R238)
2. We shouldn't support TLS 1.0, TLS 1.1
3. There's a chance that SSLv3 will be removed in Go 1.14
(https://github.com/golang/go/issues/32716)
If we believe that's our desire to move forward with the idea behind
this PR, probably some updates will be required. Anyways, feel free to
comment on that.
--
- abstractj
More information about the keycloak-dev
mailing list