### Terraform Version ``` Terraform v1.16.0-dev (main branch, HEAD) ``` ### Terraform Configuration Files This is an internal code issue in the HTTP backend TLS configuration, not triggered by a specific user config. Any configuration using the HTTP backend with TLS client certificates is affected: ```terraform terraform { backend "http" { address = "https://example.com/state" client_cert_file = "/path/to/cert.pem" client_key_file = "/path/to/key.pem" } } ``` ### Debug Output No debug output needed. The issue is visible in the source code at `internal/backend/remote-state/http/backend.go` in the `configureTLS` function: the `tls.Config` is created without setting `MinVersion`, which defaults to TLS 1.0. ### Expected Behavior The HTTP backend should enforce TLS 1.2 as the minimum protocol version, consistent with the OCI backend (`internal/backend/remote-state/oci/auth.go:323`) and the deprecation of TLS 1.0/1.1 per [RFC 8996](https://datatracker.ietf.org/doc/html/rfc8996) (March 2021). ### Actual Behavior The `tls.Config` created by `configureTLS` uses Go's default `MinVersion` of 0, which permits TLS 1.0 and 1.1 connections. This allows protocol downgrade attacks against state data in transit. ### Steps to Reproduce 1. Review `internal/backend/remote-state/http/backend.go`, function `configureTLS` 2. Note that `tls.Config{}` is created without `MinVersion: tls.VersionTLS12` 3. Compare with OCI backend at `internal/backend/remote-state/oci/auth.go:323` which correctly sets `MinVersion` ### Additional Context The omission was introduced in #34806 (2024-03-05) during the `helper/schema` refactoring. I intend to submit a fix for this issue and have a working implementation on my fork. ### References - #34806 (introduced the omission) - [moby/moby#32056](https://github.com/moby/moby/pull/32056) (Docker/Moby added TLS minimum version enforcement for the same class of downgrade risk) - Previously submitted as #38546 (closed; resubmitting with issue-first workflow per Contributing.md) - Fork branch with fix: [`SebTardif/terraform@fix/http-backend-tls-minversion`](https://github.com/SebTardif/terraform/tree/fix/http-backend-tls-minversion) ### Generative AI / LLM assisted development? Grok (xAI) was used as an assistant with human-in-the-loop review. All code has been reviewed and understood by the human author.