Skip to content

fix: Enforce TLS 1.3 for the Vault client#349

Open
minhtule wants to merge 1 commit into
masterfrom
feat/mt/vault-tls-min-version
Open

fix: Enforce TLS 1.3 for the Vault client#349
minhtule wants to merge 1 commit into
masterfrom
feat/mt/vault-tls-min-version

Conversation

@minhtule

Copy link
Copy Markdown
Contributor

Related Tickets & Documents

Changes

  • Enforce a TLS 1.3 minimum on the Vault client used for SSH CA signing (Vault's default permits TLS 1.2).

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the Vault client configuration used by the SSH CA signing path to enforce a minimum TLS version of 1.3, aligning the implementation with Issue #348’s security requirement.

Changes:

  • Set the Vault HTTP client transport’s TLSClientConfig.MinVersion to tls.VersionTLS13.
  • Add a unit test to assert that newVault enforces TLS 1.3 on the underlying HTTP transport.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
internal/sshhandler/vault.go Forces Vault client TLS minimum to 1.3 by updating the underlying http.Transport TLS config.
internal/sshhandler/vault_test.go Adds a regression test validating the TLS 1.3 minimum is set on the Vault client transport.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@codecov

codecov Bot commented Jun 29, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.19%. Comparing base (ae1a656) to head (aa1f153).
⚠️ Report is 1 commits behind head on master.
✅ All tests successful. No failed tests found.

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##           master     #349      +/-   ##
==========================================
+ Coverage   86.07%   86.19%   +0.11%     
==========================================
  Files          40       40              
  Lines        2830     2832       +2     
==========================================
+ Hits         2436     2441       +5     
+ Misses        269      265       -4     
- Partials      125      126       +1     
Flag Coverage Δ
integration 55.00% <100.00%> (+0.14%) ⬆️
unit 78.88% <100.00%> (+0.33%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
internal/sshhandler/vault.go 77.67% <100.00%> (+0.40%) ⬆️

... and 1 file with indirect coverage changes

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@minhtule minhtule requested a review from clement0010 June 29, 2026 01:04
@minhtule minhtule changed the title feat: Enforce TLS 1.3 for the Vault client fix: Enforce TLS 1.3 for the Vault client Jun 29, 2026

@clement0010 clement0010 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍🏻

@minhtule minhtule requested a review from sghiocel June 29, 2026 14:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants