Skip to content

docs: clarify the new default client cipher list #16474

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
htuch merged 2 commits into from
May 23, 2021
Merged

docs: clarify the new default client cipher list #16474

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
91df41c
docs: clarify the new default client cipher list
desimone May 19, 2021
fdcb911
Merge remote-tracking branch 'origin/main' into desimone/16469
desimone May 21, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 24 additions & 4 deletions api/envoy/extensions/transport_sockets/tls/v3/common.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,10 +51,12 @@ message TlsParameters {

// If specified, the TLS listener will only support the specified `cipher list
// <https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Cipher-suite-configuration>`_
// when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). If not
// specified, the default list will be used.
// when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3).
//
// In non-FIPS builds, the default cipher list is:
// If not specified, a default list will be used. Defaults are different for server (downstream) and
// client (upstream) TLS configurations.
//
// In non-FIPS builds, the default server cipher list is:
//
// .. code-block:: none
//
Expand All @@ -71,7 +73,7 @@ message TlsParameters {
// AES256-GCM-SHA384
// AES256-SHA
//
// In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default cipher list is:
// In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default server cipher list is:
//
// .. code-block:: none
//
Expand All @@ -87,6 +89,24 @@ message TlsParameters {
// ECDHE-RSA-AES256-SHA
// AES256-GCM-SHA384
// AES256-SHA
//
// In non-FIPS builds, the default client cipher list is:
//
// .. code-block:: none
//
// [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
// [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]
// ECDHE-ECDSA-AES256-GCM-SHA384
// ECDHE-RSA-AES256-GCM-SHA384
//
// In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default client cipher list is:
//
// .. code-block:: none
//
// ECDHE-ECDSA-AES128-GCM-SHA256
// ECDHE-RSA-AES128-GCM-SHA256
// ECDHE-ECDSA-AES256-GCM-SHA384
// ECDHE-RSA-AES256-GCM-SHA384
Copy link
Copy Markdown
Member

@htuch htuch May 16, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be nice if we could generate these from some canonical location that is shared with code. If we aren't going to change frequently this is fine though.

repeated string cipher_suites = 3;

// If specified, the TLS connection will only support the specified ECDH
Expand Down
28 changes: 24 additions & 4 deletions api/envoy/extensions/transport_sockets/tls/v4alpha/common.proto
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

28 changes: 24 additions & 4 deletions generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/common.proto
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

28 changes: 24 additions & 4 deletions generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/common.proto
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.