Enable TLS 1.3

pivotal · Sep 25, 2024 · a8da2a7 · a8da2a7
1 parent 7fae363
commit a8da2a7
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 3 deletions.
diff --git a/jobs/credhub/templates/application_server.yml.erb b/jobs/credhub/templates/application_server.yml.erb
@@ -3,7 +3,9 @@
     'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256',
     'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384',
     'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
-    'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'
+    'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
+    'TLS_AES_128_GCM_SHA256',
+    'TLS_AES_256_GCM_SHA384'
   ]
   # CredHubDeprecatedStartingAfter(2.1.2)
   if p('credhub.java7_tls_ciphers_enabled')
@@ -17,7 +19,7 @@
       'port' => p('credhub.port'),
       'ssl' => {
         'enabled' => true,
-        'enabled_protocols' => 'TLSv1.2',
+        'enabled_protocols' => 'TLSv1.2,TLSv1.3',
         'ciphers' => ciphers.join(','),
         'key_store' => '/var/vcap/jobs/credhub/config/cacerts.jks',
         'key_password' => '${KEY_STORE_PASSWORD}',

diff --git a/spec/credhub/application_server_yml_spec.rb b/spec/credhub/application_server_yml_spec.rb
@@ -23,7 +23,7 @@
         rendered_template = YAML.safe_load(template.render(manifest))
 
         expect(rendered_template['server']['ssl']['enabled']).to eq(true)
-        expect(rendered_template['server']['ssl']['enabled_protocols']).to eq('TLSv1.2')
+        expect(rendered_template['server']['ssl']['enabled_protocols']).to eq('TLSv1.2,TLSv1.3')
         expect(rendered_template['server']['ssl']['key_store']).to eq('/var/vcap/jobs/credhub/config/cacerts.jks')
         expect(rendered_template['server']['ssl']['key_password']).to eq('${KEY_STORE_PASSWORD}')
         expect(rendered_template['server']['ssl']['key_store_password']).to eq('${KEY_STORE_PASSWORD}')
@@ -40,6 +40,8 @@
                                 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
                                 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
                                 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+                                TLS_AES_128_GCM_SHA256
+                                TLS_AES_256_GCM_SHA384
                               ])
       end
 
@@ -91,6 +93,8 @@
                                 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
                                 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
                                 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+                                TLS_AES_128_GCM_SHA256
+                                TLS_AES_256_GCM_SHA384
                                 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
                                 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
                               ])