Removed TLSv1.1 from default set of supported protocols (#203856)

## Summary Removed `TLSv1.1` from default set of supported protocols. ### Checklist - [x] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) ## Release Note Removed `TLSv1.1` from default set of supported protocols __Closes: https://github.com/elastic/kibana/issues/184756__ --------- Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
2025-04-23 17:28:26 -04:00 · 2024-12-16 16:27:44 +01:00 · 2024-12-16 16:27:44 +01:00 · a25f1954bf
commit a25f1954bf
parent 5077e6d63d
5 changed files with 4 additions and 5 deletions
--- a/docs/setup/settings.asciidoc
+++ b/docs/setup/settings.asciidoc
@ -565,7 +565,9 @@ all http requests to https over the port configured as <<server-port, `server.po

 [[server-ssl-supportedProtocols]] `server.ssl.supportedProtocols`::
 An array of supported protocols with versions.
-Valid protocols: `TLSv1`, `TLSv1.1`, `TLSv1.2`, `TLSv1.3`. *Default: TLSv1.1, TLSv1.2, TLSv1.3*
+Valid protocols: `TLSv1`, `TLSv1.1`, `TLSv1.2`, `TLSv1.3`. *Default: TLSv1.2, TLSv1.3*
+Enabling `TLSv1.1` would require both setting the `--tls-min-1.1` option in the `node.options` configuration and adding `TLSv1.1` to `server.ssl.supportedProtocols`.
+`HTTP/2` requires the use of minimum `TLSv1.2` for secure connections.

 [[server-uuid]] `server.uuid`::
 The unique identifier for this {kib} instance. It must be a valid UUIDv4. It gets automatically generated on the first startup if not specified and persisted in the `data` path.
--- a/packages/core/http/core-http-server-internal/src/snapshots/http_config.test.ts.snap
+++ b/packages/core/http/core-http-server-internal/src/snapshots/http_config.test.ts.snap
@ -131,7 +131,6 @@ Object {
    "enabled": false,
    "keystore": Object {},
    "supportedProtocols": Array [
-      "TLSv1.1",
      "TLSv1.2",
      "TLSv1.3",
    ],
--- a/packages/core/usage-data/core-usage-data-server-internal/src/core_usage_data_service.test.ts
+++ b/packages/core/usage-data/core-usage-data-server-internal/src/core_usage_data_service.test.ts
@ -355,7 +355,6 @@ describe('CoreUsageDataService', () => {
                  "keystoreConfigured": false,
                  "redirectHttpFromPortConfigured": false,
                  "supportedProtocols": Array [
-                    "TLSv1.1",
                    "TLSv1.2",
                    "TLSv1.3",
                  ],
--- a/packages/kbn-health-gateway-server/src/server/server_config.test.ts
+++ b/packages/kbn-health-gateway-server/src/server/server_config.test.ts
@ -56,7 +56,6 @@ describe('server config', () => {
          "enabled": false,
          "keystore": Object {},
          "supportedProtocols": Array [
-            "TLSv1.1",
            "TLSv1.2",
            "TLSv1.3",
          ],
--- a/packages/kbn-server-http-tools/src/ssl/ssl_config.ts
+++ b/packages/kbn-server-http-tools/src/ssl/ssl_config.ts
@ -52,7 +52,7 @@ export const sslSchema = schema.object(
        schema.literal(TLS_V1_2),
        schema.literal(TLS_V1_3),
      ]),
-      { defaultValue: [TLS_V1_1, TLS_V1_2, TLS_V1_3], minSize: 1 }
+      { defaultValue: [TLS_V1_2, TLS_V1_3], minSize: 1 }
    ),
    clientAuthentication: schema.oneOf(
      [schema.literal('none'), schema.literal('optional'), schema.literal('required')],