From 51a1b5d4f5d0b3a1e56c6b62bac3f3ae84338dc8 Mon Sep 17 00:00:00 2001 From: "Jason T. Wong" Date: Fri, 1 May 2026 10:17:06 -0400 Subject: [PATCH 1/3] [SOC2] Add TLS 1.3 support alongside TLS 1.2 Adds :"tlsv1.3" to the ssl :versions list in build_config/2 so all transports (Tesla HTTP and Slipstream WebSocket) can negotiate TLS 1.3 with OTP 27, while retaining TLS 1.2 for backward compatibility. Also adds a test asserting both versions are present. Closes ENG-1713. --- lib/peridiod/config.ex | 3 ++- test/peridiod/config_test.exs | 9 +++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/lib/peridiod/config.ex b/lib/peridiod/config.ex index 3aa6527..6296cdb 100644 --- a/lib/peridiod/config.ex +++ b/lib/peridiod/config.ex @@ -255,7 +255,8 @@ defmodule Peridiod.Config do |> Map.put(:ssl, server_name_indication: to_charlist(config.device_api_host), verify: verify, - cacertfile: config.device_api_ca_certificate_path + cacertfile: config.device_api_ca_certificate_path, + versions: [:"tlsv1.2", :"tlsv1.3"] ) case config.key_pair_source do diff --git a/test/peridiod/config_test.exs b/test/peridiod/config_test.exs index 70de374..39e09eb 100644 --- a/test/peridiod/config_test.exs +++ b/test/peridiod/config_test.exs @@ -25,6 +25,15 @@ defmodule Peridiod.ConfigTest do end end + describe "tls versions" do + test "ssl options include both TLS 1.2 and TLS 1.3" do + with_config_file("test/fixtures/peridio.json", fn -> + config = build_config() + assert config.ssl[:versions] == [:"tlsv1.2", :"tlsv1.3"] + end) + end + end + describe "device_api_verify" do test "struct default is :verify_peer" do assert %Peridiod.Config{}.device_api_verify == :verify_peer From e125a025ae70358fba4b0ce3c93e490eb129504c Mon Sep 17 00:00:00 2001 From: "Jason T. Wong" Date: Fri, 1 May 2026 10:22:29 -0400 Subject: [PATCH 2/3] Remove stale :versions default from base_config/1 build_config/2 overwrites the ssl keyword list entirely, making the :versions put_new in base_config/1 dead code. Remove it to avoid a misleading second default that doesn't match the live configuration. --- lib/peridiod/config.ex | 1 - 1 file changed, 1 deletion(-) diff --git a/lib/peridiod/config.ex b/lib/peridiod/config.ex index 6296cdb..5710e6e 100644 --- a/lib/peridiod/config.ex +++ b/lib/peridiod/config.ex @@ -414,7 +414,6 @@ defmodule Peridiod.Config do ssl = base.ssl |> Keyword.put_new(:verify, :verify_peer) - |> Keyword.put_new(:versions, [:"tlsv1.2"]) |> Keyword.put_new(:server_name_indication, to_charlist(base.device_api_sni)) %{base | socket: socket, ssl: ssl} From bd8dc003647a26d4bc57ee386723dee0e93f18c1 Mon Sep 17 00:00:00 2001 From: "Jason T. Wong" Date: Mon, 4 May 2026 14:22:02 -0400 Subject: [PATCH 3/3] Address PR review comments on TLS version ordering and test assertion - Reorder TLS versions to prefer 1.3 over 1.2 - Use membership assertions in test instead of exact list equality --- lib/peridiod/config.ex | 2 +- test/peridiod/config_test.exs | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/peridiod/config.ex b/lib/peridiod/config.ex index 5710e6e..997d6fa 100644 --- a/lib/peridiod/config.ex +++ b/lib/peridiod/config.ex @@ -256,7 +256,7 @@ defmodule Peridiod.Config do server_name_indication: to_charlist(config.device_api_host), verify: verify, cacertfile: config.device_api_ca_certificate_path, - versions: [:"tlsv1.2", :"tlsv1.3"] + versions: [:"tlsv1.3", :"tlsv1.2"] ) case config.key_pair_source do diff --git a/test/peridiod/config_test.exs b/test/peridiod/config_test.exs index 39e09eb..f9ab6a5 100644 --- a/test/peridiod/config_test.exs +++ b/test/peridiod/config_test.exs @@ -29,7 +29,8 @@ defmodule Peridiod.ConfigTest do test "ssl options include both TLS 1.2 and TLS 1.3" do with_config_file("test/fixtures/peridio.json", fn -> config = build_config() - assert config.ssl[:versions] == [:"tlsv1.2", :"tlsv1.3"] + assert :"tlsv1.2" in config.ssl[:versions] + assert :"tlsv1.3" in config.ssl[:versions] end) end end