diff --git a/api/envoy/api/v2/auth/cert.proto b/api/envoy/api/v2/auth/cert.proto index 8e78a8d16f3e..51b76c0506aa 100644 --- a/api/envoy/api/v2/auth/cert.proto +++ b/api/envoy/api/v2/auth/cert.proto @@ -47,21 +47,15 @@ message TlsParameters { // // [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] // [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] - // ECDHE-ECDSA-AES128-SHA256 - // ECDHE-RSA-AES128-SHA256 // ECDHE-ECDSA-AES128-SHA // ECDHE-RSA-AES128-SHA // AES128-GCM-SHA256 - // AES128-SHA256 // AES128-SHA // ECDHE-ECDSA-AES256-GCM-SHA384 // ECDHE-RSA-AES256-GCM-SHA384 - // ECDHE-ECDSA-AES256-SHA384 - // ECDHE-RSA-AES256-SHA384 // ECDHE-ECDSA-AES256-SHA // ECDHE-RSA-AES256-SHA // AES256-GCM-SHA384 - // AES256-SHA256 // AES256-SHA // // will be used. diff --git a/docs/root/api-v1/cluster_manager/cluster_ssl.rst b/docs/root/api-v1/cluster_manager/cluster_ssl.rst index 291319505f9d..9d53af68cc58 100644 --- a/docs/root/api-v1/cluster_manager/cluster_ssl.rst +++ b/docs/root/api-v1/cluster_manager/cluster_ssl.rst @@ -54,21 +54,15 @@ cipher_suites [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA ECDHE-RSA-AES128-SHA AES128-GCM-SHA256 - AES128-SHA256 AES128-SHA ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-AES256-SHA384 - ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES256-SHA AES256-GCM-SHA384 - AES256-SHA256 AES256-SHA will be used. diff --git a/docs/root/api-v1/listeners/listeners.rst b/docs/root/api-v1/listeners/listeners.rst index a2fc957702cf..37c22f26af16 100644 --- a/docs/root/api-v1/listeners/listeners.rst +++ b/docs/root/api-v1/listeners/listeners.rst @@ -190,21 +190,15 @@ cipher_suites [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA ECDHE-RSA-AES128-SHA AES128-GCM-SHA256 - AES128-SHA256 AES128-SHA ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-AES256-SHA384 - ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES256-SHA AES256-GCM-SHA384 - AES256-SHA256 AES256-SHA will be used. diff --git a/docs/root/intro/version_history.rst b/docs/root/intro/version_history.rst index d3aecd750347..3faaa9f4e5e9 100644 --- a/docs/root/intro/version_history.rst +++ b/docs/root/intro/version_history.rst @@ -71,6 +71,7 @@ Version history * sockets: added `SO_KEEPALIVE` socket option for upstream connections :ref:`per cluster `. * stats: added support for histograms. +* tls: removed support for legacy SHA-2 CBC cipher suites. * tracing: the sampling decision is now delegated to the tracers, allowing the tracer to decide when and if to use it. For example, if the :ref:`x-b3-sampled ` header is supplied with the client request, its value will override any sampling decision made by the Envoy proxy. diff --git a/source/common/ssl/context_config_impl.cc b/source/common/ssl/context_config_impl.cc index df390dcbdd0e..e1c1ac754c29 100644 --- a/source/common/ssl/context_config_impl.cc +++ b/source/common/ssl/context_config_impl.cc @@ -15,21 +15,15 @@ namespace Ssl { const std::string ContextConfigImpl::DEFAULT_CIPHER_SUITES = "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]:" "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]:" - "ECDHE-ECDSA-AES128-SHA256:" - "ECDHE-RSA-AES128-SHA256:" "ECDHE-ECDSA-AES128-SHA:" "ECDHE-RSA-AES128-SHA:" "AES128-GCM-SHA256:" - "AES128-SHA256:" "AES128-SHA:" "ECDHE-ECDSA-AES256-GCM-SHA384:" "ECDHE-RSA-AES256-GCM-SHA384:" - "ECDHE-ECDSA-AES256-SHA384:" - "ECDHE-RSA-AES256-SHA384:" "ECDHE-ECDSA-AES256-SHA:" "ECDHE-RSA-AES256-SHA:" "AES256-GCM-SHA384:" - "AES256-SHA256:" "AES256-SHA"; const std::string ContextConfigImpl::DEFAULT_ECDH_CURVES = "X25519:P-256";