open-vault/website/pages/docs/upgrading/upgrade-to-1.3.0.mdx
Jeff Escalante df34412570 New Website! (#8154)
* new documentation website

* ci job adjustment

* update to latest version on downloads page

* remove transition-period scripts

* add netlify toml file

* fix docs patch

* fix ci config?

* revert go.mod changes

* a couple last markdown formatting fixes
2020-01-17 16:18:09 -08:00

42 lines
1.8 KiB
Plaintext

---
layout: docs
page_title: Upgrading to Vault 1.3.0 - Guides
sidebar_title: Upgrade to 1.3.0
description: |-
This page contains the list of deprecations and important or breaking changes
for Vault 1.3.0. Please read it carefully.
---
# Overview
This page contains the list of deprecations and important or breaking changes
for Vault 1.3.0 compared to 1.2.4. Please read it carefully.
## Secondary cluster activation
There has been a change to the way that activating performance and DR secondary
clusters works when using public keys for encryption of the parameters rather
than a wrapping token. This flow was experimental and never documented. It is
now officially supported and documented but is not backwards compatible with
older Vault releases.
## Cluster cipher suites
On its cluster port, Vault will no longer advertise the full TLS 1.2 cipher
suite list by default. Although this port is only used for Vault-to-Vault
communication and would always pick a strong cipher, it could cause false flags
on port scanners and other security utilities that assumed insecure ciphers were
being used. The previous behavior can be achieved by setting the value of the
(undocumented) cluster_cipher_suites config flag to tls12.
## API/Agent Renewal Behavior
The API now allows multiple options for how it deals with renewals. The legacy
behavior in the Agent/API is for the renewer (now called the lifetime watcher)
to exit on a renew error, leading to a reauthentication. The new default
behavior is for the lifetime watcher to ignore 5XX errors and simply retry as
scheduled, using the existing lease duration. It is also possible, within
custom code, to disable renewals entirely, which allows the lifetime watcher to
simply return when it believes it is time for your code to renew or
reauthenticate.