docs: add 8.14 TLS 1.2 RSA handshake breaking change#20880
Merged
Conversation
Document that TLS 1.2 RSA key exchange cipher negotiation can fail at runtime in 8.14+ due to Go 1.22 defaults, and include the GODEBUG workaround. Made-with: Cursor
Contributor
🤖 GitHub commentsJust comment with:
|
Add a dedicated Breaking Changes section to 8.14.0 release notes documenting TLS 1.2 RSA key exchange runtime handshake failures and the GODEBUG workaround. Made-with: Cursor
Move the 8.14 breaking changes block ahead of 8.11 to keep release sections in descending version order. Made-with: Cursor
carsonip
added
backport-8.14
Reformat the 8.14 all-breaking-changes entry to use the standard bullet-and-details style used by nearby 8.x sections. Made-with: Cursor
carsonip
changed the title
endorama
approved these changes
Apr 14, 2026
Member
Author
|
@Mergifyio backport 8.14 8.15 8.16 8.17 8.18 |
Contributor
✅ Backports have been createdDetails
|
mergify bot
pushed a commit
that referenced
this pull request
Apr 14, 2026
* docs: add 8.14 TLS 1.2 RSA handshake breaking change note Document that TLS 1.2 RSA key exchange cipher negotiation can fail at runtime in 8.14+ due to Go 1.22 defaults, and include the GODEBUG workaround. Made-with: Cursor * docs: add breaking change entry to 8.14 release notes Add a dedicated Breaking Changes section to 8.14.0 release notes documenting TLS 1.2 RSA key exchange runtime handshake failures and the GODEBUG workaround. Made-with: Cursor * docs: reorder 8.14 breaking change section Move the 8.14 breaking changes block ahead of 8.11 to keep release sections in descending version order. Made-with: Cursor * docs: align 8.14 breaking-change format with existing style Reformat the 8.14 all-breaking-changes entry to use the standard bullet-and-details style used by nearby 8.x sections. Made-with: Cursor (cherry picked from commit 0605cf3)
2 tasks
mergify bot
pushed a commit
that referenced
this pull request
Apr 14, 2026
* docs: add 8.14 TLS 1.2 RSA handshake breaking change note Document that TLS 1.2 RSA key exchange cipher negotiation can fail at runtime in 8.14+ due to Go 1.22 defaults, and include the GODEBUG workaround. Made-with: Cursor * docs: add breaking change entry to 8.14 release notes Add a dedicated Breaking Changes section to 8.14.0 release notes documenting TLS 1.2 RSA key exchange runtime handshake failures and the GODEBUG workaround. Made-with: Cursor * docs: reorder 8.14 breaking change section Move the 8.14 breaking changes block ahead of 8.11 to keep release sections in descending version order. Made-with: Cursor * docs: align 8.14 breaking-change format with existing style Reformat the 8.14 all-breaking-changes entry to use the standard bullet-and-details style used by nearby 8.x sections. Made-with: Cursor (cherry picked from commit 0605cf3)
2 tasks
mergify bot
pushed a commit
that referenced
this pull request
Apr 14, 2026
* docs: add 8.14 TLS 1.2 RSA handshake breaking change note Document that TLS 1.2 RSA key exchange cipher negotiation can fail at runtime in 8.14+ due to Go 1.22 defaults, and include the GODEBUG workaround. Made-with: Cursor * docs: add breaking change entry to 8.14 release notes Add a dedicated Breaking Changes section to 8.14.0 release notes documenting TLS 1.2 RSA key exchange runtime handshake failures and the GODEBUG workaround. Made-with: Cursor * docs: reorder 8.14 breaking change section Move the 8.14 breaking changes block ahead of 8.11 to keep release sections in descending version order. Made-with: Cursor * docs: align 8.14 breaking-change format with existing style Reformat the 8.14 all-breaking-changes entry to use the standard bullet-and-details style used by nearby 8.x sections. Made-with: Cursor (cherry picked from commit 0605cf3)
2 tasks
mergify bot
pushed a commit
that referenced
this pull request
Apr 14, 2026
* docs: add 8.14 TLS 1.2 RSA handshake breaking change note Document that TLS 1.2 RSA key exchange cipher negotiation can fail at runtime in 8.14+ due to Go 1.22 defaults, and include the GODEBUG workaround. Made-with: Cursor * docs: add breaking change entry to 8.14 release notes Add a dedicated Breaking Changes section to 8.14.0 release notes documenting TLS 1.2 RSA key exchange runtime handshake failures and the GODEBUG workaround. Made-with: Cursor * docs: reorder 8.14 breaking change section Move the 8.14 breaking changes block ahead of 8.11 to keep release sections in descending version order. Made-with: Cursor * docs: align 8.14 breaking-change format with existing style Reformat the 8.14 all-breaking-changes entry to use the standard bullet-and-details style used by nearby 8.x sections. Made-with: Cursor (cherry picked from commit 0605cf3)
2 tasks
mergify bot
pushed a commit
that referenced
this pull request
Apr 14, 2026
* docs: add 8.14 TLS 1.2 RSA handshake breaking change note Document that TLS 1.2 RSA key exchange cipher negotiation can fail at runtime in 8.14+ due to Go 1.22 defaults, and include the GODEBUG workaround. Made-with: Cursor * docs: add breaking change entry to 8.14 release notes Add a dedicated Breaking Changes section to 8.14.0 release notes documenting TLS 1.2 RSA key exchange runtime handshake failures and the GODEBUG workaround. Made-with: Cursor * docs: reorder 8.14 breaking change section Move the 8.14 breaking changes block ahead of 8.11 to keep release sections in descending version order. Made-with: Cursor * docs: align 8.14 breaking-change format with existing style Reformat the 8.14 all-breaking-changes entry to use the standard bullet-and-details style used by nearby 8.x sections. Made-with: Cursor (cherry picked from commit 0605cf3)
2 tasks
mergify bot
added a commit
that referenced
this pull request
Apr 15, 2026
* docs: add 8.14 TLS 1.2 RSA handshake breaking change note Document that TLS 1.2 RSA key exchange cipher negotiation can fail at runtime in 8.14+ due to Go 1.22 defaults, and include the GODEBUG workaround. Made-with: Cursor * docs: add breaking change entry to 8.14 release notes Add a dedicated Breaking Changes section to 8.14.0 release notes documenting TLS 1.2 RSA key exchange runtime handshake failures and the GODEBUG workaround. Made-with: Cursor * docs: reorder 8.14 breaking change section Move the 8.14 breaking changes block ahead of 8.11 to keep release sections in descending version order. Made-with: Cursor * docs: align 8.14 breaking-change format with existing style Reformat the 8.14 all-breaking-changes entry to use the standard bullet-and-details style used by nearby 8.x sections. Made-with: Cursor (cherry picked from commit 0605cf3) Co-authored-by: Carson Ip <[email protected]>
mergify bot
added a commit
that referenced
this pull request
Apr 15, 2026
* docs: add 8.14 TLS 1.2 RSA handshake breaking change note Document that TLS 1.2 RSA key exchange cipher negotiation can fail at runtime in 8.14+ due to Go 1.22 defaults, and include the GODEBUG workaround. Made-with: Cursor * docs: add breaking change entry to 8.14 release notes Add a dedicated Breaking Changes section to 8.14.0 release notes documenting TLS 1.2 RSA key exchange runtime handshake failures and the GODEBUG workaround. Made-with: Cursor * docs: reorder 8.14 breaking change section Move the 8.14 breaking changes block ahead of 8.11 to keep release sections in descending version order. Made-with: Cursor * docs: align 8.14 breaking-change format with existing style Reformat the 8.14 all-breaking-changes entry to use the standard bullet-and-details style used by nearby 8.x sections. Made-with: Cursor (cherry picked from commit 0605cf3) Co-authored-by: Carson Ip <[email protected]>
mergify bot
added a commit
that referenced
this pull request
Apr 15, 2026
* docs: add 8.14 TLS 1.2 RSA handshake breaking change note Document that TLS 1.2 RSA key exchange cipher negotiation can fail at runtime in 8.14+ due to Go 1.22 defaults, and include the GODEBUG workaround. Made-with: Cursor * docs: add breaking change entry to 8.14 release notes Add a dedicated Breaking Changes section to 8.14.0 release notes documenting TLS 1.2 RSA key exchange runtime handshake failures and the GODEBUG workaround. Made-with: Cursor * docs: reorder 8.14 breaking change section Move the 8.14 breaking changes block ahead of 8.11 to keep release sections in descending version order. Made-with: Cursor * docs: align 8.14 breaking-change format with existing style Reformat the 8.14 all-breaking-changes entry to use the standard bullet-and-details style used by nearby 8.x sections. Made-with: Cursor (cherry picked from commit 0605cf3) Co-authored-by: Carson Ip <[email protected]>
mergify bot
added a commit
that referenced
this pull request
Apr 15, 2026
* docs: add 8.14 TLS 1.2 RSA handshake breaking change note Document that TLS 1.2 RSA key exchange cipher negotiation can fail at runtime in 8.14+ due to Go 1.22 defaults, and include the GODEBUG workaround. Made-with: Cursor * docs: add breaking change entry to 8.14 release notes Add a dedicated Breaking Changes section to 8.14.0 release notes documenting TLS 1.2 RSA key exchange runtime handshake failures and the GODEBUG workaround. Made-with: Cursor * docs: reorder 8.14 breaking change section Move the 8.14 breaking changes block ahead of 8.11 to keep release sections in descending version order. Made-with: Cursor * docs: align 8.14 breaking-change format with existing style Reformat the 8.14 all-breaking-changes entry to use the standard bullet-and-details style used by nearby 8.x sections. Made-with: Cursor (cherry picked from commit 0605cf3) Co-authored-by: Carson Ip <[email protected]>
mergify bot
added a commit
that referenced
this pull request
Apr 16, 2026
* docs: add 8.14 TLS 1.2 RSA handshake breaking change note Document that TLS 1.2 RSA key exchange cipher negotiation can fail at runtime in 8.14+ due to Go 1.22 defaults, and include the GODEBUG workaround. Made-with: Cursor * docs: add breaking change entry to 8.14 release notes Add a dedicated Breaking Changes section to 8.14.0 release notes documenting TLS 1.2 RSA key exchange runtime handshake failures and the GODEBUG workaround. Made-with: Cursor * docs: reorder 8.14 breaking change section Move the 8.14 breaking changes block ahead of 8.11 to keep release sections in descending version order. Made-with: Cursor * docs: align 8.14 breaking-change format with existing style Reformat the 8.14 all-breaking-changes entry to use the standard bullet-and-details style used by nearby 8.x sections. Made-with: Cursor (cherry picked from commit 0605cf3) Co-authored-by: Carson Ip <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation/summary
This PR documents a TLS behavior change introduced with the Go 1.22 toolchain that first landed in APM Server 8.14.0.
It adds a user-facing breaking-change note in two places:
changelogs/8.14.asciidocunder the8.14.0release section (==== Breaking Changes)changelogs/all-breaking-changes.asciidocunder the=== 8.14sectionThe note explains that TLS 1.2 handshakes with RSA key exchange ciphers can fail at runtime even when startup succeeds, and documents the temporary workaround: set
GODEBUG=tlsrsakex=1on the APM Server process.Checklist
How to test these changes
changelogs/8.14.asciidocand verifyAPM version 8.14.0includes a==== Breaking Changessubsection describing this TLS behavior and workaround.changelogs/all-breaking-changes.asciidocand verify the=== 8.14section exists in correct descending order before=== 8.11.GODEBUG=tlsrsakex=1and reference issue#20879.#20879.Related issues
Fixes #20877
Related: #20879