internal/envoy: Disable CHACHA20 ciphers

Related to an ask that Contour is FIPS compliant by default. Envoy built with BoringSSL-FIPS removes the CHACHA20 cipehrs by default. Signed-off-by: Sunjay Bhatia <[email protected]>
projectcontour · Feb 10, 2021 · 6eba5cc · 6eba5cc
1 parent c8c8589
commit 6eba5cc
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 4 deletions.
diff --git a/internal/envoy/auth.go b/internal/envoy/auth.go
@@ -24,8 +24,10 @@ var (
 	// The commented ciphers are left in place to simplify updating this list for future
 	// versions of envoy.
 	Ciphers = []string{
-		"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]",
-		"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]",
+		//"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]",
+		//"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]",
+		"ECDHE-ECDSA-AES128-GCM-SHA256",
+		"ECDHE-RSA-AES128-GCM-SHA256",
 		"ECDHE-ECDSA-AES128-SHA",
 		"ECDHE-RSA-AES128-SHA",
 		//"AES128-GCM-SHA256",

diff --git a/internal/envoy/v3/listener_test.go b/internal/envoy/v3/listener_test.go
@@ -200,8 +200,8 @@ func TestDownstreamTLSContext(t *testing.T) {
 		TlsMinimumProtocolVersion: envoy_tls_v3.TlsParameters_TLSv1_2,
 		TlsMaximumProtocolVersion: envoy_tls_v3.TlsParameters_TLSv1_3,
 		CipherSuites: []string{
-			"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]",
-			"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]",
+			"ECDHE-ECDSA-AES128-GCM-SHA256",
+			"ECDHE-RSA-AES128-GCM-SHA256",
 			"ECDHE-ECDSA-AES128-SHA",
 			"ECDHE-RSA-AES128-SHA",
 			"ECDHE-ECDSA-AES256-GCM-SHA384",