Based on the feedback provided so far, the PR is submitted: https://github.com/apache/trafficcontrol/pull/4573
-Zach On Mon, Mar 23, 2020 at 9:47 AM Robert O Butts <[email protected]> wrote: > I'm also +1 if it makes it work. > > From a security perspective, TLS 1.1 isn't broken. TLS 1.2 and 1.3 are > improvements, but 1.1 doesn't have significant known vulnerabilities. Using > 1.3+ would be ideal, but 1.1 isn't the end of the world. > > On Mon, Mar 23, 2020 at 9:36 AM Fieck, Brennan <[email protected]> > wrote: > > > I'm +1 provided it works > > ________________________________ > > From: Zach Hoffman <[email protected]> > > Sent: Saturday, March 21, 2020 19:58 > > To: [email protected] <[email protected]> > > Subject: [EXTERNAL] Go version for TO > > > > As Rawlin mentions in thread titled "Go version for components other than > > TO", Traffic Ops has issues communicating with Riak when built with Go > > versions 1.12 or higher. I looked a bit into why that is, and TO can > > successfully use TLS 1.1 to communicate with Riak instead of TLS 1.2 (the > > default). My update_go_1.13 branch includes the changes that are > necessary > > to make this work: > > > > > > > https://urldefense.com/v3/__https://github.com/zrhoffman/trafficcontrol/commits/update_go_1.13__;!!CQl3mcHX2A!RCMlh6CdvBPNXYzgJfE-E1gDtoe4iC23foCV_QYv4nYUH5AZMcaPxIIrb9a1dckh5ilA$ > > > > Let me explain why I am using TLS 1.1, and why TO using TLS 1.2 to > > communicate with Riak KV version 2.2.3 is not an option for Go versions > > 1.12 and higher. > > > > Riak KV 2.2.3 fails to work if the client sends it an unknown signature > > algorithm in the "hello" message of the TLS 1.2 handshake (see related > > Erlang bug from 2015: > > > https://urldefense.com/v3/__https://github.com/erlang/otp/pull/767__;!!CQl3mcHX2A!RCMlh6CdvBPNXYzgJfE-E1gDtoe4iC23foCV_QYv4nYUH5AZMcaPxIIrb9a1dfdn5n6Z$ > > ). That is not > > an issue in Go 1.11, which luckily uses signature algorithms ( > > > > > https://urldefense.com/v3/__https://go.googlesource.com/go/*/refs/tags/go1.11.13/src/crypto/tls/common.go*138__;KyM!!CQl3mcHX2A!RCMlh6CdvBPNXYzgJfE-E1gDtoe4iC23foCV_QYv4nYUH5AZMcaPxIIrb9a1dTU4FEk_$ > > ) that are all known to Riak. > > > > In Go 1.12 (specifically in commit > > > > > https://urldefense.com/v3/__https://go.googlesource.com/go/*/ee7e443389__;Kw!!CQl3mcHX2A!RCMlh6CdvBPNXYzgJfE-E1gDtoe4iC23foCV_QYv4nYUH5AZMcaPxIIrb9a1deVtU3kM$ > > ), signature algorithms are > > added that are unknown to Riak, so TLS 1.2 cannot be used in Go versions > >= > > 1.12 without patching the crypto/tls package, because the list of > signature > > algorithms sent to the server is hard-coded (see: > > > > > https://urldefense.com/v3/__https://go.googlesource.com/go/*/refs/tags/go1.13.9/src/crypto/tls/handshake_client.go*116__;KyM!!CQl3mcHX2A!RCMlh6CdvBPNXYzgJfE-E1gDtoe4iC23foCV_QYv4nYUH5AZMcaPxIIrb9a1ddup24QL$ > > ). > > > > On a side note, a proposal was accepted that lets you configure supported > > signature algorithms ( > > > https://urldefense.com/v3/__https://github.com/golang/go/issues/28660__;!!CQl3mcHX2A!RCMlh6CdvBPNXYzgJfE-E1gDtoe4iC23foCV_QYv4nYUH5AZMcaPxIIrb9a1dXRwH9b-$ > > , > > implemented in > > > https://urldefense.com/v3/__https://go.googlesource.com/go/*/5b17b65750__;Kw!!CQl3mcHX2A!RCMlh6CdvBPNXYzgJfE-E1gDtoe4iC23foCV_QYv4nYUH5AZMcaPxIIrb9a1dcSkJLhi$ > > ), which lets > > you choose the signature algorithm used for the TLS session. That is > > different than the signature algorithm used in the handshake. > > > > This makes TLS 1.1 the highest TLS version that can be used by Go > versions > > 1.12 and higher to communicate with Riak KV 2.2.3, because signature > > algorithms are a TLS 1.2 addition. > > > > Does anyone have thoughts about updating the version of Go used to > compile > > Traffic Ops (and potentially the other components) and opting for TLS 1.1 > > for TO~Riak communication? > > > > -Zach > > >
