feat(tls): add configurable TLS security profile [Backport release/0.5.z]#2406
Merged
Conversation
Replace the hardcoded mozilla_modern_v5 (TLS 1.3 only) SSL acceptor with a configurable TLS security profile aligned with OpenShift TLS Security Profiles. The new --http-server-tls-security-profile flag supports four profiles: old (TLS 1.0+), intermediate (TLS 1.2+, new default), modern (TLS 1.3 only), and custom (user-defined min version and cipher suites). This changes the default from Modern to Intermediate to match the OpenShift default and broaden client compatibility. Implements TC-3426 Assisted-by: Claude Code (cherry picked from commit 5764a31)
Change the default TLS security profile from intermediate (TLS 1.2+) to modern (TLS 1.3 only), preserving the existing security posture. Operators who need broader compatibility can opt in to a less restrictive profile via HTTP_SERVER_TLS_SECURITY_PROFILE. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> (cherry picked from commit 01eb2bf)
Contributor
Reviewer's GuideBackports configurable TLS security profiles to the HTTP server, adding CLI/env configuration for TLS profiles and custom TLS parameters, wiring them into the OpenSSL acceptor, and documenting the new environment variables with tests to validate behavior. Sequence diagram for configuring TLS security profile in HTTP serversequenceDiagram
actor User
participant HttpServerConfig
participant HttpServerBuilder
participant build_ssl_acceptor
participant SslAcceptor
User->>HttpServerConfig: set tls_enabled, tls_security_profile, tls_min_version, tls_ciphers, tls_ciphersuites
User->>HttpServerBuilder: HttpServerBuilder::try_from(HttpServerConfig)
activate HttpServerBuilder
HttpServerBuilder->>HttpServerBuilder: [tls_enabled]
alt profile is Custom and tls_min_version is None
HttpServerBuilder-->>User: Err(anyhow!("Custom TLS profile requires --http-server-tls-min-version"))
else valid TLS config
HttpServerBuilder->>HttpServerBuilder: tls(TlsConfiguration)
HttpServerBuilder-->>User: Ok(HttpServerBuilder)
deactivate HttpServerBuilder
User->>HttpServerBuilder: build()
activate HttpServerBuilder
HttpServerBuilder->>build_ssl_acceptor: build_ssl_acceptor(&TlsConfiguration)
activate build_ssl_acceptor
alt security_profile is Old
build_ssl_acceptor->>SslAcceptor: SslAcceptor::mozilla_intermediate_v5
build_ssl_acceptor->>SslAcceptor: set_min_proto_version(None)
else security_profile is Intermediate
build_ssl_acceptor->>SslAcceptor: SslAcceptor::mozilla_intermediate_v5
else security_profile is Modern
build_ssl_acceptor->>SslAcceptor: SslAcceptor::mozilla_modern_v5
else security_profile is Custom
build_ssl_acceptor->>SslAcceptor: SslAcceptor::mozilla_intermediate_v5
opt custom min_version
build_ssl_acceptor->>TlsMinVersion: to_ssl_version()
build_ssl_acceptor->>SslAcceptor: set_min_proto_version(SslVersion)
end
opt custom ciphers
build_ssl_acceptor->>SslAcceptor: set_cipher_list(ciphers)
end
opt custom ciphersuites
build_ssl_acceptor->>SslAcceptor: set_ciphersuites(ciphersuites)
end
end
build_ssl_acceptor-->>HttpServerBuilder: SslAcceptorBuilder
deactivate build_ssl_acceptor
HttpServerBuilder-->>User: running HTTPS server
deactivate HttpServerBuilder
end
File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
Contributor
There was a problem hiding this comment.
Hey - I've left some high level feedback:
- The validation error for a custom TLS profile (
"Custom TLS profile requires --http-server-tls-min-version") is flag-specific; consider rewording to mention both the CLI flag and theHTTP_SERVER_TLS_MIN_VERSIONenv var (or just “a minimum TLS version”) to better match all configuration entry points. - Requiring
tls_min_versionfor theCustomTLS profile even when only custom cipher lists are provided is a bit rigid; consider allowing a custom profile with just ciphers/ciphersuites configured and treatingtls_min_versionas optional in that case.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- The validation error for a custom TLS profile (`"Custom TLS profile requires --http-server-tls-min-version"`) is flag-specific; consider rewording to mention both the CLI flag and the `HTTP_SERVER_TLS_MIN_VERSION` env var (or just “a minimum TLS version”) to better match all configuration entry points.
- Requiring `tls_min_version` for the `Custom` TLS profile even when only custom cipher lists are provided is a bit rigid; consider allowing a custom profile with just ciphers/ciphersuites configured and treating `tls_min_version` as optional in that case.Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
jcrossley3
approved these changes
Jun 17, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Backport of #2385 to
release/0.5.z.Summary by Sourcery
Add configurable TLS security profiles to the HTTP server and expose related configuration via CLI and environment variables.
New Features:
Enhancements:
Documentation:
Tests: