Skip to content

fix: default backend TLS max version to 1.3#9412

Open
vishwas-bm wants to merge 1 commit into
envoyproxy:mainfrom
nokia:fix/backend-tls-default-max-version-9395
Open

fix: default backend TLS max version to 1.3#9412
vishwas-bm wants to merge 1 commit into
envoyproxy:mainfrom
nokia:fix/backend-tls-default-max-version-9395

Conversation

@vishwas-bm

Copy link
Copy Markdown

What this PR does / why we need it:

This bug fix applies the documented defaults (min TLS 1.2, max TLS 1.3) in applyBackendTLSSetting when the versions are not configured.

Which issue(s) this PR fixes:
Fixes #9395


PR Checklist

  • Authorship & ownership: Coding agents / AI assistants are welcome, but I have reviewed every change, understand how and why it works, can explain and maintain it, and take full responsibility for this PR. I have not submitted generated output I do not understand.
  • DCO: All commits are signed off (git commit -s). See DCO: Sign your work.
  • API agreed first: If this PR contains API changes (changes under /api), the API was discussed and agreed before the implementation. The API change can be in a separate PR, or in the same PR, but the API must be agreed before implementation. N/A if this PR does not contain API changes.
  • Required checks pass: make generate gen-check, make lint, and the unit-test/coverage build pass. (Flaky e2e failures are not considered breakages, but gen-check, lint, and coverage MUST pass.)
  • Tests added/updated: New/changed code is covered by appropriate tests. N/A if this PR does not contain code changes.
  • Docs: User-facing changes update the docs, either in this PR or a follow-up PR. N/A if this PR does not contain user-facing changes.
  • Release notes: For any non-trivial change, added a release-note fragment under release-notes/current/<section>/<pr-number>-<slug>.md (see release-notes/current/README.md for sections and naming). N/A if this PR does not contain non-trivial changes.
  • Generated files committed: Ran make gen-check and committed the result if API/helm charts/modules changed.
  • Scope & compatibility: The PR is reasonably scoped (no unrelated changes) and preserves backward compatibility, or any breaking change is called out above and documented in release-notes/current/breaking_changes/.
  • Codex review: Requested a Codex review and addressed all of its comments.
  • Copilot review: Requested a Copilot review and addressed all of its comments.

Backend (upstream) TLS connections were silently capped at TLS 1.2.
Apply the defaults (min 1.2, max 1.3) in applyBackendTLSSetting when not configured.

Fixes envoyproxy#9395

Signed-off-by: vishwas-bm <b_m.vishwas@nokia.com>
@vishwas-bm vishwas-bm requested a review from a team as a code owner July 3, 2026 12:24
@netlify

netlify Bot commented Jul 3, 2026

Copy link
Copy Markdown

Deploy Preview for cerulean-figolla-1f9435 ready!

Name Link
🔨 Latest commit d7d8a30
🔍 Latest deploy log https://app.netlify.com/projects/cerulean-figolla-1f9435/deploys/6a47b166dc338b000737cd5e
😎 Deploy Preview https://deploy-preview-9412--cerulean-figolla-1f9435.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@zirain

zirain commented Jul 3, 2026

Copy link
Copy Markdown
Member

@guydc is this a breaking change? should we fix the document instead?

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e369633d80

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread internal/gatewayapi/listener_test.go
@codecov

codecov Bot commented Jul 3, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 75.32%. Comparing base (29cb580) to head (d7d8a30).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #9412   +/-   ##
=======================================
  Coverage   75.31%   75.32%           
=======================================
  Files         252      252           
  Lines       41434    41438    +4     
=======================================
+ Hits        31208    31215    +7     
  Misses       8111     8111           
+ Partials     2115     2112    -3     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@vishwas-bm vishwas-bm force-pushed the fix/backend-tls-default-max-version-9395 branch from e369633 to d7d8a30 Compare July 3, 2026 12:56
@jukie

jukie commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

I suspect this was a misunderstanding based on the envoy docs: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto

tls_maximum_protocol_version
(extensions.transport_sockets.tls.v3.TlsParameters.TlsProtocol) Maximum TLS protocol version. By default, it’s TLSv1_2 for clients and TLSv1_3 for servers.

I don't think there's a scenario where a connection that previously succeeded would now fail so I think bugfix is right vs breaking change.

@jukie jukie requested review from a team and zirain July 3, 2026 19:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Docs: Gateway API Extensions

3 participants