Skip to content

Use system-defined TLS protocol versions #1170

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
rhysparry wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Use system-defined TLS protocol versions #1170

rhysparry wants to merge 1 commit into from

Conversation

@rhysparry
Copy link
Contributor

@rhysparry rhysparry commented Dec 8, 2025

Background

Historically, Halibut, and by extension, Tentacle, has explicitly defined the set of supported TLS protocols. This has allowed newer protocols to be used without requiring the underlying system to enable them by default. However, it has also meant that older protocols have remained enabled to support customers running old systems.

Modern Operating System defaults are intended to provide the appropriate balance between security and compatibility, while allowing users to control the balance. This pull request switches the default Tentacle TLS configuration to match that of the underlying Operating System.

As a temporary safety measure, the OCTOPUS_TENTACLE_USE_LEGACY_TLS environment variable can be set to the value YES to switch to the previous behaviour of explicit configuration.

Results

For modern systems, this will result in TLS 1.0 and 1.1 no longer being available. Similarly, TLS 1.3 may also become unavailable if it is not configured by default.

How to review this PR

  • Quality
  • Environment variable suitability

Pre-requisites

  • I have read How we use GitHub Issues for help deciding when and where it's appropriate to make an issue.
  • I have considered informing or consulting the right people, according to the ownership map.
  • I have considered appropriate testing for my change.

evolutionise
evolutionise reviewed Dec 28, 2025
View reviewed changes
source/Octopus.Tentacle/EnvironmentOverrides.cs
public static class EnvironmentOverrides
{
public static bool UseLegacyExplicitSslConfiguration =>
Environment.GetEnvironmentVariable("OCTOPUS_TENTACLE_USE_LEGACY_TLS") == "YES";
Copy link
Contributor

@evolutionise evolutionise Dec 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should the value for this be TRUE rather than YES, as it should follow the standard bool convention?

@evolutionise
Copy link
Contributor

evolutionise commented Dec 31, 2025

Fixes #468

Confirmed by customer with the issue

@evolutionise evolutionise mentioned this pull request Dec 31, 2025
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@evolutionise evolutionise evolutionise left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rhysparry @evolutionise