GoLang version 1.22 effects TLS versions under 1.3
This document (000021551) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Rancher v2.9.x
SUSE Rancher v2.8.7+
SUSE Rancher v2.8.7+
Situation
In GoLang version 1.22, by default, the minimum version offered by crypto/tls servers is now TLS 1.2 if not specified with config.MinimumVersion, matching the behavior of crypto/tls clients. This change can be reverted with the tls10server=1 GODEBUG setting.
By default, cipher suites without ECDHE support are no longer offered by either clients or servers during pre-TLS 1.3 handshakes. This change can be reverted with the tlsrsakex=1 GODEBUG setting.
Please note the following:
By default, cipher suites without ECDHE support are no longer offered by either clients or servers during pre-TLS 1.3 handshakes. This change can be reverted with the tlsrsakex=1 GODEBUG setting.
Please note the following:
- Applications accessing Rancher Manager offering only TLS versions below 1.2 will fail.
- Applications accessing Rancher Manager using TLS 1.2 without offering ECDHE ciphers will fail.
- Rancher Manager accessing applications that do not support TLS 1.3 and do not offer ECDHE ciphers under TLS 1.2 will fail.
Resolution
For deployments via Helm, it can be done via extraEnv:
--set 'extraEnv[0].name=GODEBUG' --set 'extraEnv[0].value=tlsrsakex=1,tls10server=1'
Cause
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000021551
- Creation Date: 09-Sep-2024
- Modified Date:12-Sep-2024
-
- SUSE Rancher
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
