Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SECURITY] Remove OTLP HTTP support for TLS 1.0 and TLS 1.1, require TLS 1.2 #2722

Merged
merged 7 commits into from
Jul 2, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,25 @@ Increment the:

## [Unreleased]

* [SECURITY] Remove OTLP HTTP support for TLS 1.0 and TLS 1.1,
require TLS 1.2 or better
[#2721](https://github.com/open-telemetry/opentelemetry-cpp/pull/2721)

Breaking changes:

* [SECURITY] Remove OTLP HTTP support for TLS 1.0 and TLS 1.1,
require TLS 1.2 or better
[#2721](https://github.com/open-telemetry/opentelemetry-cpp/pull/2721)
* The OTLP HTTP exporter no longer accept options like:
* min_TLS = 1.0
* min_TLS = 1.1
* max_TLS = 1.0
* max_TLS = 1.1
* When connecting to an OTLP HTTP endpoint, using `https`,
the connection will require TLS 1.2 by default,
unless min_TLS is set to 1.3
* Plain `http` connections (insecure) are not affected.

## [1.16.0] 2024-06-21

* [BUILD] Upgrade bazel abseil from 20220623.1 to 20230802.2
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,7 @@ std::string GetOtlpDefaultTracesSslTlsMaxVersion();
std::string GetOtlpDefaultMetricsSslTlsMaxVersion();
std::string GetOtlpDefaultLogsSslTlsMaxVersion();

// For TLS 1.0, 1.1, 1.2
// For TLS 1.2
std::string GetOtlpDefaultTracesSslTlsCipher();
std::string GetOtlpDefaultMetricsSslTlsCipher();
std::string GetOtlpDefaultLogsSslTlsCipher();
Expand Down
8 changes: 2 additions & 6 deletions ext/include/opentelemetry/ext/http/client/http_client.h
Original file line number Diff line number Diff line change
Expand Up @@ -192,9 +192,7 @@ struct HttpSslOptions
/**
Minimum SSL version to use.
Valid values are:
- empty (no minimum version required)
- "1.0" (TLSv1.0)
- "1.1" (TLSv1.1)
- empty (defaults to TLSv1.2)
- "1.2" (TLSv1.2)
- "1.3" (TLSv1.3)
*/
Expand All @@ -204,16 +202,14 @@ struct HttpSslOptions
Maximum SSL version to use.
Valid values are:
- empty (no maximum version required)
- "1.0" (TLSv1.0)
- "1.1" (TLSv1.1)
- "1.2" (TLSv1.2)
- "1.3" (TLSv1.3)
*/
std::string ssl_max_tls{};

/**
TLS Cipher.
This is for TLS 1.0, 1.1 and 1.2.
This is for TLS 1.2.
The list is delimited by colons (":").
Cipher names depends on the underlying CURL implementation.
*/
Expand Down
40 changes: 15 additions & 25 deletions ext/src/http/client/curl/http_operation_curl.cc
Original file line number Diff line number Diff line change
Expand Up @@ -414,16 +414,16 @@ void HttpOperation::Cleanup()
To represent versions, the following symbols are needed:

Added in CURL 7.34.0:
- CURL_SSLVERSION_TLSv1_0
- CURL_SSLVERSION_TLSv1_1
- CURL_SSLVERSION_TLSv1_0 (do not use)
- CURL_SSLVERSION_TLSv1_1 (do not use)
- CURL_SSLVERSION_TLSv1_2

Added in CURL 7.52.0:
- CURL_SSLVERSION_TLSv1_3

Added in CURL 7.54.0:
- CURL_SSLVERSION_MAX_TLSv1_0
- CURL_SSLVERSION_MAX_TLSv1_1
- CURL_SSLVERSION_MAX_TLSv1_0 (do not use)
- CURL_SSLVERSION_MAX_TLSv1_1 (do not use)
- CURL_SSLVERSION_MAX_TLSv1_2
- CURL_SSLVERSION_MAX_TLSv1_3

Expand All @@ -439,16 +439,6 @@ void HttpOperation::Cleanup()
static long parse_min_ssl_version(std::string version)
{
#ifdef HAVE_TLS_VERSION
if (version == "1.0")
{
return CURL_SSLVERSION_TLSv1_0;
}

if (version == "1.1")
{
return CURL_SSLVERSION_TLSv1_1;
}

if (version == "1.2")
{
return CURL_SSLVERSION_TLSv1_2;
Expand All @@ -466,16 +456,6 @@ static long parse_min_ssl_version(std::string version)
static long parse_max_ssl_version(std::string version)
{
#ifdef HAVE_TLS_VERSION
if (version == "1.0")
{
return CURL_SSLVERSION_MAX_TLSv1_0;
}

if (version == "1.1")
{
return CURL_SSLVERSION_MAX_TLSv1_1;
}

if (version == "1.2")
{
return CURL_SSLVERSION_MAX_TLSv1_2;
Expand Down Expand Up @@ -730,7 +710,12 @@ CURLcode HttpOperation::Setup()

/* 4 - TLS */

#ifdef HAVE_TLS_VERSION
/* By default, TLSv1.2 or better is required (if we have TLS). */
long min_ssl_version = CURL_SSLVERSION_TLSv1_2;
#else
long min_ssl_version = 0;
#endif

if (!ssl_options_.ssl_min_tls.empty())
{
Expand All @@ -748,6 +733,11 @@ CURLcode HttpOperation::Setup()
#endif
}

/*
* Do not set a max TLS version by default.
* The CURL + openssl library may be more recent than this code,
* and support a version we do not know about.
*/
long max_ssl_version = 0;

if (!ssl_options_.ssl_max_tls.empty())
Expand Down Expand Up @@ -780,7 +770,7 @@ CURLcode HttpOperation::Setup()

if (!ssl_options_.ssl_cipher.empty())
{
/* TLS 1.0, 1.1, 1.2 */
/* TLS 1.2 */
const char *cipher_list = ssl_options_.ssl_cipher.c_str();

rc = SetCurlStrOption(CURLOPT_SSL_CIPHER_LIST, cipher_list);
Expand Down
62 changes: 49 additions & 13 deletions functional/otlp/func_http_main.cc
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,8 @@ struct TestResult
bool found_request_send_failure = false;
bool found_export_error = false;
bool found_export_success = false;
bool found_unknown_min_tls = false;
bool found_unknown_max_tls = false;

void reset()
{
Expand All @@ -62,6 +64,8 @@ struct TestResult
found_request_send_failure = false;
found_export_error = false;
found_export_success = false;
found_unknown_min_tls = false;
found_unknown_max_tls = false;
}
};

Expand Down Expand Up @@ -96,6 +100,20 @@ void parse_error_msg(TestResult *result, std::string msg)
{
result->found_export_error = true;
}

static std::string unknown_min_tls("Unknown min TLS version");

if (msg.find(unknown_min_tls) != std::string::npos)
{
result->found_unknown_min_tls = true;
}

static std::string unknown_max_tls("Unknown max TLS version");

if (msg.find(unknown_max_tls) != std::string::npos)
{
result->found_unknown_max_tls = true;
}
}

void parse_warning_msg(TestResult * /* result */, std::string /* msg */) {}
Expand Down Expand Up @@ -507,6 +525,24 @@ int expect_request_send_failed()
return TEST_FAILED;
}

int expect_unknown_min_tls()
{
if (g_test_result.found_export_error && g_test_result.found_unknown_min_tls)
{
return TEST_PASSED;
}
return TEST_FAILED;
}

int expect_unknown_max_tls()
{
if (g_test_result.found_export_error && g_test_result.found_unknown_max_tls)
{
return TEST_PASSED;
}
return TEST_FAILED;
}

int expect_export_failed()
{
/*
Expand Down Expand Up @@ -928,7 +964,7 @@ int test_min_tls_unknown()
return expect_export_failed();
}

return expect_connection_failed();
return expect_unknown_min_tls();
}

int test_min_tls_10()
Expand Down Expand Up @@ -963,7 +999,7 @@ int test_min_tls_10()
return expect_connection_failed();
}

return expect_success();
return expect_unknown_min_tls();
}

int test_min_tls_11()
Expand Down Expand Up @@ -998,7 +1034,7 @@ int test_min_tls_11()
return expect_connection_failed();
}

return expect_success();
return expect_unknown_min_tls();
}

int test_min_tls_12()
Expand Down Expand Up @@ -1098,7 +1134,7 @@ int test_max_tls_unknown()
return expect_export_failed();
}

return expect_connection_failed();
return expect_unknown_max_tls();
}

int test_max_tls_10()
Expand Down Expand Up @@ -1134,7 +1170,7 @@ int test_max_tls_10()
}

// No support for TLS 1.0
return expect_connection_failed();
return expect_unknown_max_tls();
}

int test_max_tls_11()
Expand Down Expand Up @@ -1170,7 +1206,7 @@ int test_max_tls_11()
}

// No support for TLS 1.1
return expect_connection_failed();
return expect_unknown_max_tls();
}

int test_max_tls_12()
Expand Down Expand Up @@ -1277,7 +1313,7 @@ int test_range_tls_10()
}

// No support for TLS 1.0
return expect_connection_failed();
return expect_unknown_min_tls();
}

int test_range_tls_11()
Expand Down Expand Up @@ -1314,7 +1350,7 @@ int test_range_tls_11()
}

// No support for TLS 1.0
return expect_connection_failed();
return expect_unknown_min_tls();
}

int test_range_tls_12()
Expand Down Expand Up @@ -1423,7 +1459,7 @@ int test_range_tls_10_11()
}

// No support for TLS 1.0, TLS 1.1
return expect_connection_failed();
return expect_unknown_min_tls();
}

int test_range_tls_10_12()
Expand Down Expand Up @@ -1459,7 +1495,7 @@ int test_range_tls_10_12()
return expect_connection_failed();
}

return expect_success();
return expect_unknown_min_tls();
}

int test_range_tls_10_13()
Expand Down Expand Up @@ -1495,7 +1531,7 @@ int test_range_tls_10_13()
return expect_connection_failed();
}

return expect_success();
return expect_unknown_min_tls();
}

int test_range_tls_11_10()
Expand Down Expand Up @@ -1563,7 +1599,7 @@ int test_range_tls_11_12()
return expect_connection_failed();
}

return expect_success();
return expect_unknown_min_tls();
}

int test_range_tls_11_13()
Expand Down Expand Up @@ -1599,7 +1635,7 @@ int test_range_tls_11_13()
return expect_connection_failed();
}

return expect_success();
return expect_unknown_min_tls();
}

int test_range_tls_12_10()
Expand Down