diff --git a/api/envoy/extensions/transport_sockets/tls/v3/common.proto b/api/envoy/extensions/transport_sockets/tls/v3/common.proto index 182dc4b81a5fc..aa05a31f23d90 100644 --- a/api/envoy/extensions/transport_sockets/tls/v3/common.proto +++ b/api/envoy/extensions/transport_sockets/tls/v3/common.proto @@ -51,10 +51,12 @@ message TlsParameters { // If specified, the TLS listener will only support the specified `cipher list // `_ - // when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). If not - // specified, the default list will be used. + // when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). // - // In non-FIPS builds, the default cipher list is: + // If not specified, a default list will be used. Defaults are different for server (downstream) and + // client (upstream) TLS configurations. + // + // In non-FIPS builds, the default server cipher list is: // // .. code-block:: none // @@ -71,7 +73,7 @@ message TlsParameters { // AES256-GCM-SHA384 // AES256-SHA // - // In builds using :ref:`BoringSSL FIPS `, the default cipher list is: + // In builds using :ref:`BoringSSL FIPS `, the default server cipher list is: // // .. code-block:: none // @@ -87,6 +89,24 @@ message TlsParameters { // ECDHE-RSA-AES256-SHA // AES256-GCM-SHA384 // AES256-SHA + // + // In non-FIPS builds, the default client cipher list is: + // + // .. code-block:: none + // + // [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] + // [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] + // ECDHE-ECDSA-AES256-GCM-SHA384 + // ECDHE-RSA-AES256-GCM-SHA384 + // + // In builds using :ref:`BoringSSL FIPS `, the default client cipher list is: + // + // .. code-block:: none + // + // ECDHE-ECDSA-AES128-GCM-SHA256 + // ECDHE-RSA-AES128-GCM-SHA256 + // ECDHE-ECDSA-AES256-GCM-SHA384 + // ECDHE-RSA-AES256-GCM-SHA384 repeated string cipher_suites = 3; // If specified, the TLS connection will only support the specified ECDH diff --git a/api/envoy/extensions/transport_sockets/tls/v4alpha/common.proto b/api/envoy/extensions/transport_sockets/tls/v4alpha/common.proto index 0bc4bf9e963fa..e696fffc5e57d 100644 --- a/api/envoy/extensions/transport_sockets/tls/v4alpha/common.proto +++ b/api/envoy/extensions/transport_sockets/tls/v4alpha/common.proto @@ -52,10 +52,12 @@ message TlsParameters { // If specified, the TLS listener will only support the specified `cipher list // `_ - // when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). If not - // specified, the default list will be used. + // when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). // - // In non-FIPS builds, the default cipher list is: + // If not specified, a default list will be used. Defaults are different for server (downstream) and + // client (upstream) TLS configurations. + // + // In non-FIPS builds, the default server cipher list is: // // .. code-block:: none // @@ -72,7 +74,7 @@ message TlsParameters { // AES256-GCM-SHA384 // AES256-SHA // - // In builds using :ref:`BoringSSL FIPS `, the default cipher list is: + // In builds using :ref:`BoringSSL FIPS `, the default server cipher list is: // // .. code-block:: none // @@ -88,6 +90,24 @@ message TlsParameters { // ECDHE-RSA-AES256-SHA // AES256-GCM-SHA384 // AES256-SHA + // + // In non-FIPS builds, the default client cipher list is: + // + // .. code-block:: none + // + // [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] + // [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] + // ECDHE-ECDSA-AES256-GCM-SHA384 + // ECDHE-RSA-AES256-GCM-SHA384 + // + // In builds using :ref:`BoringSSL FIPS `, the default client cipher list is: + // + // .. code-block:: none + // + // ECDHE-ECDSA-AES128-GCM-SHA256 + // ECDHE-RSA-AES128-GCM-SHA256 + // ECDHE-ECDSA-AES256-GCM-SHA384 + // ECDHE-RSA-AES256-GCM-SHA384 repeated string cipher_suites = 3; // If specified, the TLS connection will only support the specified ECDH diff --git a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/common.proto b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/common.proto index 0c5c199510766..64b3f59dcb263 100644 --- a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/common.proto +++ b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/common.proto @@ -53,10 +53,12 @@ message TlsParameters { // If specified, the TLS listener will only support the specified `cipher list // `_ - // when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). If not - // specified, the default list will be used. + // when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). // - // In non-FIPS builds, the default cipher list is: + // If not specified, a default list will be used. Defaults are different for server (downstream) and + // client (upstream) TLS configurations. + // + // In non-FIPS builds, the default server cipher list is: // // .. code-block:: none // @@ -73,7 +75,7 @@ message TlsParameters { // AES256-GCM-SHA384 // AES256-SHA // - // In builds using :ref:`BoringSSL FIPS `, the default cipher list is: + // In builds using :ref:`BoringSSL FIPS `, the default server cipher list is: // // .. code-block:: none // @@ -89,6 +91,24 @@ message TlsParameters { // ECDHE-RSA-AES256-SHA // AES256-GCM-SHA384 // AES256-SHA + // + // In non-FIPS builds, the default client cipher list is: + // + // .. code-block:: none + // + // [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] + // [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] + // ECDHE-ECDSA-AES256-GCM-SHA384 + // ECDHE-RSA-AES256-GCM-SHA384 + // + // In builds using :ref:`BoringSSL FIPS `, the default client cipher list is: + // + // .. code-block:: none + // + // ECDHE-ECDSA-AES128-GCM-SHA256 + // ECDHE-RSA-AES128-GCM-SHA256 + // ECDHE-ECDSA-AES256-GCM-SHA384 + // ECDHE-RSA-AES256-GCM-SHA384 repeated string cipher_suites = 3; // If specified, the TLS connection will only support the specified ECDH diff --git a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/common.proto b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/common.proto index 0bc4bf9e963fa..e696fffc5e57d 100644 --- a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/common.proto +++ b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/common.proto @@ -52,10 +52,12 @@ message TlsParameters { // If specified, the TLS listener will only support the specified `cipher list // `_ - // when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). If not - // specified, the default list will be used. + // when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). // - // In non-FIPS builds, the default cipher list is: + // If not specified, a default list will be used. Defaults are different for server (downstream) and + // client (upstream) TLS configurations. + // + // In non-FIPS builds, the default server cipher list is: // // .. code-block:: none // @@ -72,7 +74,7 @@ message TlsParameters { // AES256-GCM-SHA384 // AES256-SHA // - // In builds using :ref:`BoringSSL FIPS `, the default cipher list is: + // In builds using :ref:`BoringSSL FIPS `, the default server cipher list is: // // .. code-block:: none // @@ -88,6 +90,24 @@ message TlsParameters { // ECDHE-RSA-AES256-SHA // AES256-GCM-SHA384 // AES256-SHA + // + // In non-FIPS builds, the default client cipher list is: + // + // .. code-block:: none + // + // [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] + // [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] + // ECDHE-ECDSA-AES256-GCM-SHA384 + // ECDHE-RSA-AES256-GCM-SHA384 + // + // In builds using :ref:`BoringSSL FIPS `, the default client cipher list is: + // + // .. code-block:: none + // + // ECDHE-ECDSA-AES128-GCM-SHA256 + // ECDHE-RSA-AES128-GCM-SHA256 + // ECDHE-ECDSA-AES256-GCM-SHA384 + // ECDHE-RSA-AES256-GCM-SHA384 repeated string cipher_suites = 3; // If specified, the TLS connection will only support the specified ECDH