Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove SHA-1 cipher suites from the defaults on the server-side #5400

Open
PiotrSikora opened this issue Dec 22, 2018 · 0 comments
Open

Remove SHA-1 cipher suites from the defaults on the server-side #5400

PiotrSikora opened this issue Dec 22, 2018 · 0 comments
Labels
area/tls help wanted Needs help!

Comments

@PiotrSikora
Copy link
Contributor

PiotrSikora commented Dec 22, 2018
edited
Loading

This is the intent to remove remaining SHA-1 cipher suites (i.e. ECDHE-ECDSA-AES128-SHA, ECDHE-RSA-AES128-SHA, ECDHE-ECDSA-AES256-SHA and ECDHE-RSA-AES256-SHA) from the default cipher suites on the server-side.

This change will affect your deployment if it's using default cipher suites (i.e. not configuring cipher_suites) and it's accepting incoming connections using those cipher suites:

$ curl -s localhost:9901/stats | grep -E "^listener.*.ssl.ciphers..*SHA:"
listener.<address>.ssl.ciphers.ECDHE-ECDSA-AES128-SHA: 1
listener.<address>.ssl.ciphers.ECDHE-ECDSA-AES256-SHA: 1
listener.<address>.ssl.ciphers.ECDHE-RSA-AES128-SHA: 1
listener.<address>.ssl.ciphers.ECDHE-RSA-AES256-SHA: 1

(This works only with Envoy v1.9.0 and newer)

ETA: 1.15 (i.e. ~late 2020)
@PiotrSikora PiotrSikora mentioned this issue Dec 22, 2018
Open
11 tasks
@mattklein123 mattklein123 added area/tls no stalebot Disables stalebot from closing an issue labels Dec 24, 2018
@PiotrSikora PiotrSikora changed the title Deprecate SHA-1 cipher suites on the server-side Remove SHA-1 cipher suites from the defaults on the server-side Jan 3, 2019
@mattklein123 mattklein123 added help wanted Needs help! and removed no stalebot Disables stalebot from closing an issue labels Jan 15, 2021
@derekguo001 derekguo001 mentioned this issue Apr 2, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/tls help wanted Needs help!
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@PiotrSikora @mattklein123