Skip to content

Remove RSA key transport from the defaults on the client-side #5396

New issue
New issue
Closed
#13850
Closed
Remove RSA key transport from the defaults on the client-side#5396
#13850
Labels
area/tlsno stalebotDisables stalebot from closing an issue
@PiotrSikora

Description

@PiotrSikora
PiotrSikora
opened on Dec 22, 2018

This is the intent to remove RSA key transport (i.e. AES128-GCM-SHA256, AES128-SHA, AES256-GCM-SHA384 and AES256-SHA) from the default cipher suites on the client-side.

This change will affect your deployment if it's using default cipher suites (i.e. not configuring cipher_suites) and it's making outgoing connections using those cipher suites:

$ curl -s localhost:9901/stats | grep -E "^cluster.*.ssl.ciphers.AES"
cluster.<service>.ssl.ciphers.AES128-GCM-SHA256: 1
cluster.<service>.ssl.ciphers.AES128-SHA: 1
cluster.<service>.ssl.ciphers.AES256-GCM-SHA384: 1
cluster.<service>.ssl.ciphers.AES256-SHA: 1

(This works only with Envoy v1.9.0 and newer)

ETA: 1.11 (i.e. ~mid 2019)

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/tlsno stalebotDisables stalebot from closing an issue

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions