Skip to content

Setting TLS 1.3 only ciphers causes API server to fail on startup #11706#11812

Open
KameHameHa21110 wants to merge 4 commits intoprojectcalico:masterfrom
KameHameHa21110:master
Open

Setting TLS 1.3 only ciphers causes API server to fail on startup #11706#11812
KameHameHa21110 wants to merge 4 commits intoprojectcalico:masterfrom
KameHameHa21110:master

Conversation

@KameHameHa21110
Copy link

@KameHameHa21110 KameHameHa21110 commented Feb 10, 2026
edited by caseydavenport
Loading

Description

This PR fixes a bug where the Calico API server fails to start when only TLS 1.3 cipher suites are configured via the Installation resource.

Type of fix: Bug fix

Why this should be merged:

  • Resolves HTTP/2 cipher validation error that prevents API server startup with TLS 1.3-only configurations
  • The API server hardcoded MinTLSVersion to TLS 1.2, triggering Go's HTTP/2 validation that requires TLS 1.2-specific ciphers
  • Modern security policies may require TLS 1.3-only configurations, which were previously blocked

Components affected:

  • crypto/pkg/tls: Added ParseTLSVersion() function and updated NewTLSConfig()
  • apiserver/cmd/apiserver/server: Updated to use TLS_MIN_VERSION environment variable

Testing performed:

  • Added unit tests for ParseTLSVersion() covering valid versions (1.2, 1.3), invalid versions, and default behavior
  • Added API server integration tests verifying environment variable handling
  • All existing tests pass (crypto/pkg/tls and apiserver/cmd/apiserver/server)
  • Verified go vet passes on changed packages

How it works:
The API server now reads the TLS_MIN_VERSION environment variable (values: "1.2" or "1.3"). When set to "1.3" with TLS 1.3-only ciphers, Go's HTTP/2 stack skips TLS 1.2 cipher validation, allowing the server to start successfully. Defaults to TLS 1.2 when not set (backward compatible).

Documentation:
Added comprehensive documentation at apiserver/TLS_CONFIGURATION.md with diagrams, tables, and usage scenarios.

Related issues/PRs

fixes #11706

Todos

  • Tests
  • Documentation
  • Release note

Release Note

Fix API server startup failure when configuring TLS 1.3-only cipher suites. The API server now supports the TLS_MIN_VERSION environment variable (values: "1.2" or "1.3") to control the minimum TLS version. Set TLS_MIN_VERSION=1.3 when using TLS 1.3-only cipher suites to avoid HTTP/2 cipher validation errors.

@KameHameHa21110
Add configurable TLS minimum version to resolve TLS 1.3 cipher startu…
1b54752 
…p failure

This change introduces a TLS_MIN_VERSION environment variable that allows
users to configure the minimum TLS version for the API server and other
components. This resolves the issue where setting TLS 1.3-only ciphers
would cause startup failures due to Go's HTTP/2 cipher validation.

Changes:
- Add ParseTLSVersion() function to crypto/pkg/tls package
- Update NewTLSConfig() to use TLS_MIN_VERSION environment variable
- Update API server to parse and apply TLS_MIN_VERSION
- Add comprehensive tests for TLS version parsing
- Add TLS_CONFIGURATION.md documentation

Supported values for TLS_MIN_VERSION:
- "" or "1.2" (default): TLS 1.2 minimum
- "1.3": TLS 1.3 minimum (allows TLS 1.3-only cipher configurations)

Fixes projectcalico#11706
@KameHameHa21110 KameHameHa21110 requested a review from a team as a code owner February 10, 2026 06:33
@marvin-tigera marvin-tigera added this to the Calico v3.32.0 milestone Feb 10, 2026
@marvin-tigera marvin-tigera added release-note-required Change has user-facing impact (no matter how small) docs-pr-required Change is not yet documented labels Feb 10, 2026
@KameHameHa21110
Improve TLS configuration docs with visual diagrams and comparison ta…
5415ac7 
…bles

- Add ASCII diagram showing TLS version and cipher relationships
- Add configuration validation matrix with visual indicators
- Add cipher compatibility diagram for quick reference
- Consolidate sections for better readability
- Reduce from 237 to 159 lines while keeping all essential info
- Add quick reference table at the top
- Improve troubleshooting section with clear comparison table
caseydavenport
caseydavenport requested changes Feb 10, 2026
View reviewed changes
@KameHameHa21110
Address PR review feedback
6999d9a 
- Refactor NewTLSConfig to use local variable for minVersion
- Remove duplicate test from apiserver (already tested in crypto package)
- Remove TLS_CONFIGURATION.md documentation file

Changes per reviewer feedback from caseydavenport
@caseydavenport
Copy link
Member

caseydavenport commented Feb 10, 2026

/sem-approve

@KameHameHa21110
Fix struct field alignment in tls_test.go
0ed2069 
Align struct fields consistently to pass CI formatting checks
@KameHameHa21110
Copy link
Author

KameHameHa21110 commented Feb 10, 2026

Fixed struct field alignment issue that was causing the CI check to fail.
No functional changes, just formatting to pass make check-dirty.

@caseydavenport
Copy link
Member

caseydavenport commented Feb 10, 2026

/sem-approve

@KameHameHa21110
Copy link
Author

KameHameHa21110 commented Feb 11, 2026

The CI failures appear to be infrastructure issues (missing Docker image 'calico/go-build:1.25.7-llvm18.1.8-k8s1.34.3') unrelated to the TLS configuration changes. Can these tests be restarted or would you like me to rebase?
Screenshot 2026-02-11 070232

Screenshot 2026-02-11 070216

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@caseydavenport caseydavenport caseydavenport approved these changes

Assignees

No one assigned

Labels

docs-pr-required Change is not yet documented release-note-required Change has user-facing impact (no matter how small)

Projects

None yet

Milestone

Calico v3.32.0

Development

Successfully merging this pull request may close these issues.

Setting TLS 1.3 only ciphers causes API server to fail on startup

3 participants

@KameHameHa21110 @caseydavenport @marvin-tigera