TLS1.2 version support by Mender

Hi,
I would like to know whether Mender currently supports TLS1.2 version.
If no, then I would also like to know which version is currently supporting by the Mender.

From the client’s side, it defaults to the highest available supported version available. On the backend side, I am not sure though. With nginx handling it I think. Let’s ask @0lmi

May I know what is the highest version supported and how to check this on the client side?

The mender client is using the: https://golang.org/pkg/crypto/tls/ package. The client library for the mender client can be found here: https://github.com/mendersoftware/mender/blob/master/client/client.go

The benefit of open source I guess :wink:

1 Like

TLS version 1.2 is currently supported by backend. See nginx config for details.

1 Like

Thank you @oleorhagen and @0lmi for your replies.

Since, I’m using the standalone mender, I’m specifically looking for the client-side TLS support.

I have gone through the https://golang.org/pkg/crypto/tls/ site but I didn’t get the TLS support completely.

  1. According to the mentioned site, go package supports TLS 1.2 and TLS1.3 partially. Whether this means mender supports TLS 1.2 and TLS 1.3 partially? What this partial TLS1.2 or TLS 1.3 means?

  2. Whether mender 2.0 supports TLS 1.3 (at least partial one as per the site)?

  3. How I can specify the mender client to choose between TLS 1.2 and TLS1.3?

@mirzak, any suggestions?

@mirzak, any suggestions?

Unfortunately not much to add here. Do not know much of the inner workings of TLS protocols

I hope @oleorhagen might have some insight :bulb:

Hi @ajithpv :slightly_smiling_face:

So I’ve done a little bit of digging. The mender-client currently does not support TLS 1.3, as far as I can see (since it is running on go-1.11). We currently do not have any configuration options available for this, but it should be easy enough if you are willing to compile your own client. Then setting the minVersion in the tls config in the client.go file, like this (untested):

diff --git a/client/client.go b/client/client.go
index bea3597..b7cb622 100644
--- a/client/client.go
+++ b/client/client.go
@@ -298,6 +298,7 @@ func newHttpsClient(conf Config) (*http.Client, error) {
 	tlsc := tls.Config{
 		RootCAs:            trustedcerts,
 		InsecureSkipVerify: conf.NoVerify,
+		MinVersion:         tls.VersionTLS12,
 	}
 	transport := http.Transport{
 		TLSClientConfig: &tlsc,

Should do the trick I think. You mind giving it a go? :wink:

1 Like

If you want tls13 support, you have to build off of a newer go. Preferrably 1.13

1 Like

Thank you so much @oleorhagen for the findings.

There is a discussion from our side on TLS1.2 vs TLS 1.3 usage on our platform.
I might have to try with TLS1.3, if the decision leads to stick with TLS1.3.

You’re welcome :sun_with_face:

In general it should be easy enough with the given change, and then make sure you are using go-1.13, and then make build in the mender repo. If not, you can build from source using yocto also (with local sources). Just get back to me if yous decide to go with this solution, and are having issues.

-OO

1 Like