[keycloak-dev] PR review request: Improve TLS settings for proxy listener
Sebastian Laskawiec
slaskawi at redhat.com
Tue Nov 26 07:53:18 EST 2019
The change seems sensible to me. I've seen many companies that want to
restrict TLS version or ciphers used in their services.
Is there any chance to refactor the PR to use whatever latest/greatest
provided by default in Go when there's no explicit configuration of this?
I'm trying to find a way to minimize the impact of forgetting to align with
the latest changes in Go.
On Tue, Nov 26, 2019 at 1:08 PM Bruno Oliveira <bruno at abstractj.org> wrote:
> The following PR
> (https://github.com/keycloak/keycloak-gatekeeper/pull/449) is inspired
> by the idea of achieving higher scores on SSL Labs
> (https://blog.bracebin.com/achieving-perfect-ssl-labs-score-with-go).
>
> Even though I believe it's great to get high scores on SSL Labs, I can
> see some cons about this change:
>
> 1. ParseTLS() function needs to be updated for every new Golang
> version (
> https://github.com/keycloak/keycloak-gatekeeper/pull/449/files#diff-b4bda758a2aef091432646c354b4dc59R238
> )
>
> 2. We shouldn't support TLS 1.0, TLS 1.1
> 3. There's a chance that SSLv3 will be removed in Go 1.14
> (https://github.com/golang/go/issues/32716)
>
> If we believe that's our desire to move forward with the idea behind
> this PR, probably some updates will be required. Anyways, feel free to
> comment on that.
>
> --
> - abstractj
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
More information about the keycloak-dev
mailing list