Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove SHA-1 cipher suites from the defaults on the client-side #5397

Closed
PiotrSikora opened this issue Dec 22, 2018 · 0 comments
Closed

Remove SHA-1 cipher suites from the defaults on the client-side #5397

PiotrSikora opened this issue Dec 22, 2018 · 0 comments
Labels
area/tls no stalebot Disables stalebot from closing an issue

Comments

@PiotrSikora
Copy link
Contributor

This is the intent to remove remaining SHA-1 cipher suites (i.e. ECDHE-ECDSA-AES128-SHA, ECDHE-RSA-AES128-SHA, ECDHE-ECDSA-AES256-SHA and ECDHE-RSA-AES256-SHA) from the default cipher suites on the client-side.

This change will affect your deployment if it's using default cipher suites (i.e. not configuring cipher_suites) and it's making outgoing connections using those cipher suites:

$ curl -s localhost:9901/stats | grep -E "^cluster.*.ssl.ciphers..*SHA:"
cluster.<service>.ssl.ciphers.ECDHE-ECDSA-AES128-SHA: 1
cluster.<service>.ssl.ciphers.ECDHE-ECDSA-AES256-SHA: 1
cluster.<service>.ssl.ciphers.ECDHE-RSA-AES128-SHA: 1
cluster.<service>.ssl.ciphers.ECDHE-RSA-AES256-SHA: 1

(This works only with Envoy v1.9.0 and newer)

ETA: 1.12 (i.e. ~late 2019)
@PiotrSikora PiotrSikora mentioned this issue Dec 22, 2018
Open
11 tasks
@mattklein123 mattklein123 added area/tls no stalebot Disables stalebot from closing an issue labels Dec 24, 2018
@PiotrSikora PiotrSikora changed the title Deprecate SHA-1 cipher suites on the client-side Remove SHA-1 cipher suites from the defaults on the client-side Jan 3, 2019
PiotrSikora added a commit to PiotrSikora/envoy that referenced this issue Nov 1, 2020
@PiotrSikora
tls: remove deprecated cipher suites from client defaults.
2da33bf 
Fixes envoyproxy#5396, envoyproxy#5397.

Signed-off-by: Piotr Sikora <[email protected]>
@PiotrSikora PiotrSikora mentioned this issue Nov 1, 2020
Merged
@desimone desimone mentioned this issue May 12, 2021
Closed
@chadlwilson chadlwilson mentioned this issue May 28, 2021
Closed
@jforce jforce mentioned this issue Jun 22, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/tls no stalebot Disables stalebot from closing an issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@PiotrSikora @mattklein123