Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove RSA key transport from the defaults on the client-side #5396

Closed
PiotrSikora opened this issue Dec 22, 2018 · 0 comments · Fixed by #13850
Closed

Remove RSA key transport from the defaults on the client-side #5396

PiotrSikora opened this issue Dec 22, 2018 · 0 comments · Fixed by #13850
Labels
area/tls no stalebot Disables stalebot from closing an issue

Comments

@PiotrSikora
Copy link
Contributor

This is the intent to remove RSA key transport (i.e. AES128-GCM-SHA256, AES128-SHA, AES256-GCM-SHA384 and AES256-SHA) from the default cipher suites on the client-side.

This change will affect your deployment if it's using default cipher suites (i.e. not configuring cipher_suites) and it's making outgoing connections using those cipher suites:

$ curl -s localhost:9901/stats | grep -E "^cluster.*.ssl.ciphers.AES"
cluster.<service>.ssl.ciphers.AES128-GCM-SHA256: 1
cluster.<service>.ssl.ciphers.AES128-SHA: 1
cluster.<service>.ssl.ciphers.AES256-GCM-SHA384: 1
cluster.<service>.ssl.ciphers.AES256-SHA: 1

(This works only with Envoy v1.9.0 and newer)

ETA: 1.11 (i.e. ~mid 2019)
@PiotrSikora PiotrSikora mentioned this issue Dec 22, 2018
Open
11 tasks
@mattklein123 mattklein123 added area/tls no stalebot Disables stalebot from closing an issue labels Dec 24, 2018
@PiotrSikora PiotrSikora changed the title Deprecate RSA key transport on the client-side Remove RSA key transport from the defaults on the client-side Jan 3, 2019
PiotrSikora added a commit to PiotrSikora/envoy that referenced this issue Nov 1, 2020
@PiotrSikora
tls: remove deprecated cipher suites from client defaults.
2da33bf 
Fixes envoyproxy#5396, envoyproxy#5397.

Signed-off-by: Piotr Sikora <[email protected]>
@PiotrSikora PiotrSikora mentioned this issue Nov 1, 2020
Merged
@desimone desimone mentioned this issue May 12, 2021
Closed
@jforce jforce mentioned this issue Jun 22, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/tls no stalebot Disables stalebot from closing an issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

tls: remove deprecated cipher suites from client defaults. PiotrSikora/envoy
2 participants
@PiotrSikora @mattklein123