Skip to content

Fix #21004: Enforce TLS 1.2 as minimum for shell HTTP client#21347

Open
R-Panic wants to merge 2 commits intosmartcontractkit:developfrom
R-Panic:feature/issue-21004
Open

Fix #21004: Enforce TLS 1.2 as minimum for shell HTTP client#21347
R-Panic wants to merge 2 commits intosmartcontractkit:developfrom
R-Panic:feature/issue-21004

Conversation

@R-Panic
Copy link

@R-Panic R-Panic commented Feb 28, 2026

Fixes #21004

Summary

Updated newHttpClient to explicitly enforce TLS 1.2 as the minimum supported version, ensuring a consistent and secure communication baseline.

Changes

  • Added MinVersion: tls.VersionTLS12 to TLSClientConfig in newHttpClient function
  • This prevents downgrade attacks and protects against known vulnerabilities in older TLS protocols (TLS 1.0 and 1.1)
  • Maintains backward compatibility with all secure TLS 1.2+ connections
  • Does not affect the InsecureSkipVerify flag behavior for testing scenarios

Security Impact

By enforcing TLS 1.2 as the minimum version, the shell HTTP client:

  • Prevents protocol downgrade attacks
  • Disallows weak cipher suites from TLS 1.0/1.1
  • Aligns with modern security best practices
  • Maintains compatibility with all currently supported major HTTP services

Testing

No functional changes to existing behavior - only affects handshake negotiation to reject insecure TLS versions.

feat: enforce TLS 1.2 as minimum for shell HTTP client
2ce1815 
- Added MinVersion: tls.VersionTLS12 to TLSClientConfig in newHttpClient
- Protects against downgrade attacks and vulnerabilities in TLS 1.0/1.1
- Maintains backward compatibility with secure TLS 1.2+ connections
- Does not affect InsecureSkipVerify flag behavior

Fixes smartcontractkit#21004
@R-Panic R-Panic requested review from a team as code owners February 28, 2026 23:19
jmank88
jmank88 previously approved these changes Mar 1, 2026
View reviewed changes
@Moses-main
Copy link

Moses-main commented Mar 2, 2026

Hi team,

I'll help enforce TLS 1.2 as minimum for the HTTP client. This is an important security hardening fix.

Let me know if I can proceed!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jmank88 jmank88 jmank88 left review comments

@bolekk bolekk Awaiting requested review from bolekk

@cedric-cordenier cedric-cordenier Awaiting requested review from cedric-cordenier

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[FEAT] Enforce TLS 1.2 as minimum for shell HTTP client

3 participants

@R-Panic @Moses-main @jmank88