Cipher configuration issue #6380
Assignees
Labels
kind/bug
Categorizes issue or PR as related to a bug.
lifecycle/needs-triage
Indicates that an issue needs to be triaged by a project contributor.
Comments
Zsolt-LazarZsolt
added
kind/bug
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What steps did you take and what happened:
Contour Checks the validity of the tls.cipher-suites in the configmap against the following hardcoded list:
https://github.com/projectcontour/contour/blob/main/apis/projectcontour/v1alpha1/ciphersuites.go
var ValidTLSCiphers = map[string]struct{}{
"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]": {},
"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]": {},
"ECDHE-ECDSA-AES128-GCM-SHA256": {},
"ECDHE-RSA-AES128-GCM-SHA256": {},
"ECDHE-ECDSA-AES128-SHA": {},
"ECDHE-RSA-AES128-SHA": {},
"AES128-GCM-SHA256": {},
"AES128-SHA": {},
"ECDHE-ECDSA-AES256-GCM-SHA384": {},
"ECDHE-RSA-AES256-GCM-SHA384": {},
"ECDHE-ECDSA-AES256-SHA": {},
"ECDHE-RSA-AES256-SHA": {},
"AES256-GCM-SHA384": {},
"AES256-SHA": {},
}
The first two lines in envoy mean there is no order of preference between ECDHE-ECDSA-AES128-GCM-SHA256 and ECDHE-ECDSA-CHACHA20-POLY1305.
Because the list element are checked as is, it is possible to give ECDHE-ECDSA-AES128-GCM-SHA256 on its own (as it has its own element), but it is not possible to set ECDHE-ECDSA-CHACHA20-POLY1305 on its own, as it is only part of the first element and does not have its own element in ValidTLSCiphers.
What did you expect to happen:
All elements in ValidTLSCiphers could be independent ciphers, and the input if given as "[cipher1|cipher2|cipherX]", the ciphers could be checked against ValidTLSCiphers one by one.
Making it possible to create equal preference between any ciphers.
The text was updated successfully, but these errors were encountered: