Skip to content

fix(security): Enforce TLS 1.2 minimum for UTxORPC and Bark servers#2869

Merged
arepala-uml merged 6 commits into
mainfrom
security/2436/pin_server_tls_min_version
Jul 17, 2026
Merged

fix(security): Enforce TLS 1.2 minimum for UTxORPC and Bark servers#2869
arepala-uml merged 6 commits into
mainfrom
security/2436/pin_server_tls_min_version

Conversation

@arepala-uml

@arepala-uml arepala-uml commented Jul 17, 2026

Copy link
Copy Markdown
Contributor
  1. Enforce TLS 1.2 as the minimum for UTxORPC and Bark servers with tests covering default, legacy, and stricter TLS configurations.
  2. Centralized the server TLS policy in the shared internal/tlsutil package.
  3. Added table-driven coverage for unset, zero-valued, legacy, and TLS 1.3 configurations.
  4. Verified the affected packages with race-enabled tests and confirmed no empty &tls.Config{} literals remain.

Closes #2436


Summary by cubic

Enforces TLS 1.2 as the minimum for api/utxorpc and bark servers via internal/tlsutil. TLS 1.3 is automatically required when ECH keys are configured; addresses #2436.

  • Bug Fixes

    • Apply shared policy with tlsutil.ServerConfig to both servers; wrap GetConfigForClient and clone before applying the floor to avoid mutating shared configs.
    • Normalize MaxVersion when below the floor; tests cover nil/zero, <1.2, 1.3, ECH (static/dynamic), MaxVersion, and callback cases.
  • Migration

    • TLS 1.0/1.1 clients are blocked; ensure clients use TLS 1.2+.

Written for commit e870e53. Summary will update on new commits.

Review in cubic

Summary by CodeRabbit

  • Security

    • Server connections now require TLS 1.2 or higher, improving protection against outdated and less secure encryption protocols.
    • Existing configurations using TLS 1.3 continue to be supported.
  • Bug Fixes

    • Improved server startup handling when TLS settings are missing or configured below the supported security baseline.
  • Tests

    • Added coverage for TLS configuration across default, older, and newer protocol settings.

…rage for UTxORPC and Bark TLS configurations.

Signed-off-by: Akhil Repala <arepala@blinklabs.io>
@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

Adds TLS configuration helpers for the UTxO RPC and Bark servers that initialize TLSConfig when needed and enforce TLS 1.2 as the minimum version while preserving TLS 1.3 settings. Server startup paths now invoke these helpers. Unit tests cover nil, default, lower-version, and higher-version TLS configurations.

🚥 Pre-merge checks | ✅ 4
✅ Passed checks (4 passed)
Check name Status Explanation
Linked Issues check ✅ Passed The changes satisfy #2436 by pinning server TLS MinVersion to 1.2+, preserving TLS 1.3, and adding tests for both servers.
Out of Scope Changes check ✅ Passed No clear out-of-scope changes are present; the Bark TLS update and tests align with the linked security objective.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: enforcing a TLS 1.2 minimum for UTxORPC and Bark servers.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch security/2436/pin_server_tls_min_version

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@arepala-uml arepala-uml changed the title fix(security): enforce TLS 1.2 minimum for RPC servers and added cove… fix(security): Enforce TLS 1.2 minimum for UTxORPC and Bark servers Jul 17, 2026
@arepala-uml
arepala-uml marked this pull request as ready for review July 17, 2026 18:04
@arepala-uml
arepala-uml requested a review from a team as a code owner July 17, 2026 18:04

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
api/utxorpc/utxorpc.go (1)

300-311: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Extract duplicate TLS configuration logic.

The configureServerTLS helper and its tests are identically duplicated across the UTxO RPC and Bark server packages. Consider extracting this logic into a shared internal utility package (for example, internal/netutil or internal/tlsutil) to keep server TLS policies centralized and DRY.

  • api/utxorpc/utxorpc.go#L300-L311: Replace this helper with a call to the extracted shared function.
  • bark/bark.go#L196-L207: Replace this helper with a call to the extracted shared function.
  • api/utxorpc/utxorpc_test.go#L150-L198: Move this test to the shared package alongside the extracted helper.
  • bark/bark_test.go#L25-L68: Remove this duplicated test once the logic is covered in the shared package.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@api/utxorpc/utxorpc.go` around lines 300 - 311, The duplicate
configureServerTLS implementations and tests should be centralized in a shared
internal TLS utility. In api/utxorpc/utxorpc.go lines 300-311 and bark/bark.go
lines 196-207, replace the local helpers with calls to the shared function; move
the corresponding tests from api/utxorpc/utxorpc_test.go lines 150-198 into the
shared package, and remove the duplicate tests from bark/bark_test.go lines
25-68 while preserving coverage of the TLS 1.2 minimum-version behavior.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@api/utxorpc/utxorpc.go`:
- Around line 300-311: The duplicate configureServerTLS implementations and
tests should be centralized in a shared internal TLS utility. In
api/utxorpc/utxorpc.go lines 300-311 and bark/bark.go lines 196-207, replace the
local helpers with calls to the shared function; move the corresponding tests
from api/utxorpc/utxorpc_test.go lines 150-198 into the shared package, and
remove the duplicate tests from bark/bark_test.go lines 25-68 while preserving
coverage of the TLS 1.2 minimum-version behavior.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3545c29f-4198-46bd-94f0-0c806b1e2787

📥 Commits

Reviewing files that changed from the base of the PR and between e5b0506 and 83cd4d9.

📒 Files selected for processing (4)
  • api/utxorpc/utxorpc.go
  • api/utxorpc/utxorpc_test.go
  • bark/bark.go
  • bark/bark_test.go

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All reported issues were addressed across 4 files

Reply with feedback, questions, or to request a fix.

Re-trigger cubic

Comment thread bark/bark.go Outdated
… TLS 1.2 minimum configuration across UTxORPC and Bark.

Signed-off-by: Akhil Repala <arepala@blinklabs.io>

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All reported issues were addressed across 5 files (changes from recent commits).

Reply with feedback, questions, or to request a fix.

Re-trigger cubic

Comment thread internal/tlsutil/tls.go Outdated
…oth scenarios (max version below raised floor, ECH keys with unset minimum)

Signed-off-by: Akhil Repala <arepala@blinklabs.io>
@arepala-uml

Copy link
Copy Markdown
Contributor Author

@cubic-dev-ai reveiw

@cubic-dev-ai

cubic-dev-ai Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

@cubic-dev-ai reveiw

@arepala-uml I have started the AI code review. It will take a few minutes to complete.

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All reported issues were addressed across 4 files

Reply with feedback, questions, or to request a fix.

Re-trigger cubic

Comment thread internal/tlsutil/tls.go Outdated
Signed-off-by: Akhil Repala <arepala@blinklabs.io>
@arepala-uml

Copy link
Copy Markdown
Contributor Author

@cubic-dev-ai reveiw

@cubic-dev-ai

cubic-dev-ai Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

@cubic-dev-ai reveiw

@arepala-uml I have started the AI code review. It will take a few minutes to complete.

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All reported issues were addressed across 4 files

Reply with feedback, questions, or to request a fix.

Re-trigger cubic

Comment thread internal/tlsutil/tls.go
Signed-off-by: Akhil Repala <arepala@blinklabs.io>
@arepala-uml

Copy link
Copy Markdown
Contributor Author

@cubic-dev-ai reveiw

@cubic-dev-ai

cubic-dev-ai Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

@cubic-dev-ai reveiw

@arepala-uml I have started the AI code review. It will take a few minutes to complete.

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All reported issues were addressed across 4 files

Reply with feedback, questions, or to request a fix.

Re-trigger cubic

Comment thread internal/tlsutil/tls.go Outdated
…onfig.Clone()

Signed-off-by: Akhil Repala <arepala@blinklabs.io>
@arepala-uml

Copy link
Copy Markdown
Contributor Author

@cubic-dev-ai

@cubic-dev-ai

cubic-dev-ai Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

@cubic-dev-ai

@arepala-uml I have started the AI code review. It will take a few minutes to complete.

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 4 files

Re-trigger cubic

@arepala-uml
arepala-uml merged commit e9c1241 into main Jul 17, 2026
11 of 12 checks passed
@arepala-uml
arepala-uml deleted the security/2436/pin_server_tls_min_version branch July 17, 2026 23:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

security: set explicit TLS MinVersion on utxorpc gRPC server

2 participants