Remove SHA-1 cipher suites from the defaults on the client-side #5397
Description
This is the intent to remove remaining SHA-1 cipher suites (i.e. ECDHE-ECDSA-AES128-SHA, ECDHE-RSA-AES128-SHA, ECDHE-ECDSA-AES256-SHA and ECDHE-RSA-AES256-SHA) from the default cipher suites on the client-side.
This change will affect your deployment if it's using default cipher suites (i.e. not configuring cipher_suites) and it's making outgoing connections using those cipher suites:
$ curl -s localhost:9901/stats | grep -E "^cluster.*.ssl.ciphers..*SHA:"
cluster.<service>.ssl.ciphers.ECDHE-ECDSA-AES128-SHA: 1
cluster.<service>.ssl.ciphers.ECDHE-ECDSA-AES256-SHA: 1
cluster.<service>.ssl.ciphers.ECDHE-RSA-AES128-SHA: 1
cluster.<service>.ssl.ciphers.ECDHE-RSA-AES256-SHA: 1
(This works only with Envoy v1.9.0 and newer)
ETA: 1.12 (i.e. ~late 2019)