Skip to content

Commit

Permalink
tls: remove legacy SHA-2 CBC cipher suites. (envoyproxy#3316)
Browse files Browse the repository at this point in the history 
They are insecure and were removed from BoringSSL codebase in
https://boringssl-review.googlesource.com/c/boringssl/+/27944

Signed-off-by: Piotr Sikora <[email protected]>
  • Loading branch information
@PiotrSikora @mattklein123
PiotrSikora authored and mattklein123 committed May 9, 2018
1 parent 8e95e7a commit 01aea23
Show file tree
Hide file tree
Showing 5 changed files with 1 addition and 24 deletions.
6 changes: 0 additions & 6 deletions api/envoy/api/v2/auth/cert.proto
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,21 +47,15 @@ message TlsParameters {
//
// [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
// [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]
// ECDHE-ECDSA-AES128-SHA256
// ECDHE-RSA-AES128-SHA256
// ECDHE-ECDSA-AES128-SHA
// ECDHE-RSA-AES128-SHA
// AES128-GCM-SHA256
// AES128-SHA256
// AES128-SHA
// ECDHE-ECDSA-AES256-GCM-SHA384
// ECDHE-RSA-AES256-GCM-SHA384
// ECDHE-ECDSA-AES256-SHA384
// ECDHE-RSA-AES256-SHA384
// ECDHE-ECDSA-AES256-SHA
// ECDHE-RSA-AES256-SHA
// AES256-GCM-SHA384
// AES256-SHA256
// AES256-SHA
//
// will be used.
Expand Down
6 changes: 0 additions & 6 deletions docs/root/api-v1/cluster_manager/cluster_ssl.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,21 +54,15 @@ cipher_suites
[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES128-SHA
AES128-GCM-SHA256
AES128-SHA256
AES128-SHA
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA
ECDHE-RSA-AES256-SHA
AES256-GCM-SHA384
AES256-SHA256
AES256-SHA
will be used.
Expand Down
6 changes: 0 additions & 6 deletions docs/root/api-v1/listeners/listeners.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -190,21 +190,15 @@ cipher_suites
[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES128-SHA
AES128-GCM-SHA256
AES128-SHA256
AES128-SHA
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA
ECDHE-RSA-AES256-SHA
AES256-GCM-SHA384
AES256-SHA256
AES256-SHA
will be used.
Expand Down
1 change: 1 addition & 0 deletions docs/root/intro/version_history.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,7 @@ Version history
* sockets: added `SO_KEEPALIVE` socket option for upstream connections
:ref:`per cluster <envoy_api_field_Cluster.upstream_connection_options>`.
* stats: added support for histograms.
* tls: removed support for legacy SHA-2 CBC cipher suites.
* tracing: the sampling decision is now delegated to the tracers, allowing the tracer to decide when and if
to use it. For example, if the :ref:`x-b3-sampled <config_http_conn_man_headers_x-b3-sampled>` header
is supplied with the client request, its value will override any sampling decision made by the Envoy proxy.
Expand Down
6 changes: 0 additions & 6 deletions source/common/ssl/context_config_impl.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,21 +15,15 @@ namespace Ssl {
const std::string ContextConfigImpl::DEFAULT_CIPHER_SUITES =
"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]:"
"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]:"
"ECDHE-ECDSA-AES128-SHA256:"
"ECDHE-RSA-AES128-SHA256:"
"ECDHE-ECDSA-AES128-SHA:"
"ECDHE-RSA-AES128-SHA:"
"AES128-GCM-SHA256:"
"AES128-SHA256:"
"AES128-SHA:"
"ECDHE-ECDSA-AES256-GCM-SHA384:"
"ECDHE-RSA-AES256-GCM-SHA384:"
"ECDHE-ECDSA-AES256-SHA384:"
"ECDHE-RSA-AES256-SHA384:"
"ECDHE-ECDSA-AES256-SHA:"
"ECDHE-RSA-AES256-SHA:"
"AES256-GCM-SHA384:"
"AES256-SHA256:"
"AES256-SHA";

const std::string ContextConfigImpl::DEFAULT_ECDH_CURVES = "X25519:P-256";
Expand Down

0 comments on commit 01aea23

Please sign in to comment.