Skip to content

Commit

Permalink
[SECURITY] Remove OTLP HTTP support for TLS 1.0 and TLS 1.1, require …
Browse files Browse the repository at this point in the history
…TLS 1.2 (#2722)
  • Loading branch information
marcalff authored Jul 2, 2024
1 parent 5e21b8a commit 42563e4
Show file tree
Hide file tree
Showing 5 changed files with 86 additions and 45 deletions.
19 changes: 19 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,25 @@ Increment the:

## [Unreleased]

* [SECURITY] Remove OTLP HTTP support for TLS 1.0 and TLS 1.1,
require TLS 1.2 or better
[#2721](https://github.com/open-telemetry/opentelemetry-cpp/pull/2721)

Breaking changes:

* [SECURITY] Remove OTLP HTTP support for TLS 1.0 and TLS 1.1,
require TLS 1.2 or better
[#2721](https://github.com/open-telemetry/opentelemetry-cpp/pull/2721)
* The OTLP HTTP exporter no longer accept options like:
* min_TLS = 1.0
* min_TLS = 1.1
* max_TLS = 1.0
* max_TLS = 1.1
* When connecting to an OTLP HTTP endpoint, using `https`,
the connection will require TLS 1.2 by default,
unless min_TLS is set to 1.3
* Plain `http` connections (insecure) are not affected.

## [1.16.0] 2024-06-21

* [BUILD] Upgrade bazel abseil from 20220623.1 to 20230802.2
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,7 @@ std::string GetOtlpDefaultTracesSslTlsMaxVersion();
std::string GetOtlpDefaultMetricsSslTlsMaxVersion();
std::string GetOtlpDefaultLogsSslTlsMaxVersion();

// For TLS 1.0, 1.1, 1.2
// For TLS 1.2
std::string GetOtlpDefaultTracesSslTlsCipher();
std::string GetOtlpDefaultMetricsSslTlsCipher();
std::string GetOtlpDefaultLogsSslTlsCipher();
Expand Down
8 changes: 2 additions & 6 deletions ext/include/opentelemetry/ext/http/client/http_client.h
Original file line number Diff line number Diff line change
Expand Up @@ -192,9 +192,7 @@ struct HttpSslOptions
/**
Minimum SSL version to use.
Valid values are:
- empty (no minimum version required)
- "1.0" (TLSv1.0)
- "1.1" (TLSv1.1)
- empty (defaults to TLSv1.2)
- "1.2" (TLSv1.2)
- "1.3" (TLSv1.3)
*/
Expand All @@ -204,16 +202,14 @@ struct HttpSslOptions
Maximum SSL version to use.
Valid values are:
- empty (no maximum version required)
- "1.0" (TLSv1.0)
- "1.1" (TLSv1.1)
- "1.2" (TLSv1.2)
- "1.3" (TLSv1.3)
*/
std::string ssl_max_tls{};

/**
TLS Cipher.
This is for TLS 1.0, 1.1 and 1.2.
This is for TLS 1.2.
The list is delimited by colons (":").
Cipher names depends on the underlying CURL implementation.
*/
Expand Down
40 changes: 15 additions & 25 deletions ext/src/http/client/curl/http_operation_curl.cc
Original file line number Diff line number Diff line change
Expand Up @@ -414,16 +414,16 @@ void HttpOperation::Cleanup()
To represent versions, the following symbols are needed:
Added in CURL 7.34.0:
- CURL_SSLVERSION_TLSv1_0
- CURL_SSLVERSION_TLSv1_1
- CURL_SSLVERSION_TLSv1_0 (do not use)
- CURL_SSLVERSION_TLSv1_1 (do not use)
- CURL_SSLVERSION_TLSv1_2
Added in CURL 7.52.0:
- CURL_SSLVERSION_TLSv1_3
Added in CURL 7.54.0:
- CURL_SSLVERSION_MAX_TLSv1_0
- CURL_SSLVERSION_MAX_TLSv1_1
- CURL_SSLVERSION_MAX_TLSv1_0 (do not use)
- CURL_SSLVERSION_MAX_TLSv1_1 (do not use)
- CURL_SSLVERSION_MAX_TLSv1_2
- CURL_SSLVERSION_MAX_TLSv1_3
Expand All @@ -439,16 +439,6 @@ void HttpOperation::Cleanup()
static long parse_min_ssl_version(std::string version)
{
#ifdef HAVE_TLS_VERSION
if (version == "1.0")
{
return CURL_SSLVERSION_TLSv1_0;
}

if (version == "1.1")
{
return CURL_SSLVERSION_TLSv1_1;
}

if (version == "1.2")
{
return CURL_SSLVERSION_TLSv1_2;
Expand All @@ -466,16 +456,6 @@ static long parse_min_ssl_version(std::string version)
static long parse_max_ssl_version(std::string version)
{
#ifdef HAVE_TLS_VERSION
if (version == "1.0")
{
return CURL_SSLVERSION_MAX_TLSv1_0;
}

if (version == "1.1")
{
return CURL_SSLVERSION_MAX_TLSv1_1;
}

if (version == "1.2")
{
return CURL_SSLVERSION_MAX_TLSv1_2;
Expand Down Expand Up @@ -730,7 +710,12 @@ CURLcode HttpOperation::Setup()

/* 4 - TLS */

#ifdef HAVE_TLS_VERSION
/* By default, TLSv1.2 or better is required (if we have TLS). */
long min_ssl_version = CURL_SSLVERSION_TLSv1_2;
#else
long min_ssl_version = 0;
#endif

if (!ssl_options_.ssl_min_tls.empty())
{
Expand All @@ -748,6 +733,11 @@ CURLcode HttpOperation::Setup()
#endif
}

/*
* Do not set a max TLS version by default.
* The CURL + openssl library may be more recent than this code,
* and support a version we do not know about.
*/
long max_ssl_version = 0;

if (!ssl_options_.ssl_max_tls.empty())
Expand Down Expand Up @@ -780,7 +770,7 @@ CURLcode HttpOperation::Setup()

if (!ssl_options_.ssl_cipher.empty())
{
/* TLS 1.0, 1.1, 1.2 */
/* TLS 1.2 */
const char *cipher_list = ssl_options_.ssl_cipher.c_str();

rc = SetCurlStrOption(CURLOPT_SSL_CIPHER_LIST, cipher_list);
Expand Down
62 changes: 49 additions & 13 deletions functional/otlp/func_http_main.cc
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,8 @@ struct TestResult
bool found_request_send_failure = false;
bool found_export_error = false;
bool found_export_success = false;
bool found_unknown_min_tls = false;
bool found_unknown_max_tls = false;

void reset()
{
Expand All @@ -62,6 +64,8 @@ struct TestResult
found_request_send_failure = false;
found_export_error = false;
found_export_success = false;
found_unknown_min_tls = false;
found_unknown_max_tls = false;
}
};

Expand Down Expand Up @@ -96,6 +100,20 @@ void parse_error_msg(TestResult *result, std::string msg)
{
result->found_export_error = true;
}

static std::string unknown_min_tls("Unknown min TLS version");

if (msg.find(unknown_min_tls) != std::string::npos)
{
result->found_unknown_min_tls = true;
}

static std::string unknown_max_tls("Unknown max TLS version");

if (msg.find(unknown_max_tls) != std::string::npos)
{
result->found_unknown_max_tls = true;
}
}

void parse_warning_msg(TestResult * /* result */, std::string /* msg */) {}
Expand Down Expand Up @@ -507,6 +525,24 @@ int expect_request_send_failed()
return TEST_FAILED;
}

int expect_unknown_min_tls()
{
if (g_test_result.found_export_error && g_test_result.found_unknown_min_tls)
{
return TEST_PASSED;
}
return TEST_FAILED;
}

int expect_unknown_max_tls()
{
if (g_test_result.found_export_error && g_test_result.found_unknown_max_tls)
{
return TEST_PASSED;
}
return TEST_FAILED;
}

int expect_export_failed()
{
/*
Expand Down Expand Up @@ -928,7 +964,7 @@ int test_min_tls_unknown()
return expect_export_failed();
}

return expect_connection_failed();
return expect_unknown_min_tls();
}

int test_min_tls_10()
Expand Down Expand Up @@ -963,7 +999,7 @@ int test_min_tls_10()
return expect_connection_failed();
}

return expect_success();
return expect_unknown_min_tls();
}

int test_min_tls_11()
Expand Down Expand Up @@ -998,7 +1034,7 @@ int test_min_tls_11()
return expect_connection_failed();
}

return expect_success();
return expect_unknown_min_tls();
}

int test_min_tls_12()
Expand Down Expand Up @@ -1098,7 +1134,7 @@ int test_max_tls_unknown()
return expect_export_failed();
}

return expect_connection_failed();
return expect_unknown_max_tls();
}

int test_max_tls_10()
Expand Down Expand Up @@ -1134,7 +1170,7 @@ int test_max_tls_10()
}

// No support for TLS 1.0
return expect_connection_failed();
return expect_unknown_max_tls();
}

int test_max_tls_11()
Expand Down Expand Up @@ -1170,7 +1206,7 @@ int test_max_tls_11()
}

// No support for TLS 1.1
return expect_connection_failed();
return expect_unknown_max_tls();
}

int test_max_tls_12()
Expand Down Expand Up @@ -1277,7 +1313,7 @@ int test_range_tls_10()
}

// No support for TLS 1.0
return expect_connection_failed();
return expect_unknown_min_tls();
}

int test_range_tls_11()
Expand Down Expand Up @@ -1314,7 +1350,7 @@ int test_range_tls_11()
}

// No support for TLS 1.0
return expect_connection_failed();
return expect_unknown_min_tls();
}

int test_range_tls_12()
Expand Down Expand Up @@ -1423,7 +1459,7 @@ int test_range_tls_10_11()
}

// No support for TLS 1.0, TLS 1.1
return expect_connection_failed();
return expect_unknown_min_tls();
}

int test_range_tls_10_12()
Expand Down Expand Up @@ -1459,7 +1495,7 @@ int test_range_tls_10_12()
return expect_connection_failed();
}

return expect_success();
return expect_unknown_min_tls();
}

int test_range_tls_10_13()
Expand Down Expand Up @@ -1495,7 +1531,7 @@ int test_range_tls_10_13()
return expect_connection_failed();
}

return expect_success();
return expect_unknown_min_tls();
}

int test_range_tls_11_10()
Expand Down Expand Up @@ -1563,7 +1599,7 @@ int test_range_tls_11_12()
return expect_connection_failed();
}

return expect_success();
return expect_unknown_min_tls();
}

int test_range_tls_11_13()
Expand Down Expand Up @@ -1599,7 +1635,7 @@ int test_range_tls_11_13()
return expect_connection_failed();
}

return expect_success();
return expect_unknown_min_tls();
}

int test_range_tls_12_10()
Expand Down

1 comment on commit 42563e4

@github-actions
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Performance Alert ⚠️

Possible performance regression was detected for benchmark 'OpenTelemetry-cpp api Benchmark'.
Benchmark result of this commit is worse than the previous benchmark result exceeding threshold 2.

Benchmark suite Current: 42563e4 Previous: 5e21b8a Ratio
BM_ProcYieldSpinLockThrashing/1/process_time/real_time 0.6519263737822232 ms/iter 0.08130360798663404 ms/iter 8.02
BM_ProcYieldSpinLockThrashing/2/process_time/real_time 0.7943720281607582 ms/iter 0.24841397935788356 ms/iter 3.20
BM_NaiveSpinLockThrashing/1/process_time/real_time 0.3114536859364777 ms/iter 0.07891233734023023 ms/iter 3.95

This comment was automatically generated by workflow using github-action-benchmark.

Please sign in to comment.