ADR-023: TLS 1.3 mandatory en producción

• Status: Accepted
• Date: 2026-05-14
• Tags: security, network

Context and Problem Statement

Workflow engine maneja business-critical data (orders, approvals, PII). MITM attacks pueden tampering requests/responses. ¿TLS required? ¿Qué versión?

Decision Drivers

• Compliance (SOC2, HIPAA, etc.) requires encryption in transit
• MITM attacks documented threat (T2.4 en threat model)
• TLS 1.2 has known weaknesses (Lucky13, etc.)
• TLS 1.3 mandatory in modern compliance

Considered Options

1. TLS 1.3 only
2. TLS 1.2 + 1.3 supported
3. TLS optional (HTTP en dev OK)
4. mTLS required (mutual)

Decision Outcome

Chosen: TLS 1.3 mandatory en producción, TLS 1.2 deprecated. Dev/local OK con HTTP solo loopback.

mTLS opcional para worker-engine si compliance requires.

Positive Consequences

• All in-transit data encrypted
• MITM impractical
• Compliance baseline met
• Modern security standards

Negative Consequences

• TLS 1.0/1.1 clients incompatible (acceptable in 2026)
• Cert management overhead (Let's Encrypt + cert-manager mitigates)
• TLS handshake adds ~10ms latency

Implementation

# Engine config
server:
  tls:
    enabled: true
    min_version: TLS1.3
    cert_file: /etc/tls/cert.pem
    key_file: /etc/tls/key.pem
    auto_renew: true            # via cert-manager / certbot

# HSTS header
headers:
  Strict-Transport-Security: "max-age=31536000; includeSubDomains"

For workers (mTLS optional):

mtls:
  enabled: false               # Phase 1 default
  ca_file: /etc/tls/ca.pem
  client_cert_required: true

Links

• analysis/security-threat-model — T2.4 threat
• adrs/adr-014-oidc-single-idp — Complementary auth