Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(conf): add DHE-RSA-CHACHA20-POLY1305 cipher to the intermediate configuration #12133

Merged
merged 1 commit into from
Dec 4, 2023
Merged

feat(conf): add DHE-RSA-CHACHA20-POLY1305 cipher to the intermediate configuration #12133

merged 1 commit into from
Dec 4, 2023

Conversation

bungle
Copy link
Member

@bungle bungle commented Nov 30, 2023
edited
Loading

Summary

Mozilla TLS recommendations added DHE-RSA-CHACHA20-POLY1305 cipher to intermediate in their version 5.7, see: https://wiki.mozilla.org/Security/Server_Side_TLS

KAG-3257

Checklist

  • The Pull Request has tests
  • A changelog file has been created under changelog/unreleased/kong or skip-changelog label added on PR if changelog is unnecessary. README.md
  • [ ] There is a user-facing docs PR against https://github.com/Kong/docs.konghq.com - PUT DOCS PR HERE

@bungle
feat(conf): add DHE-RSA-CHACHA20-POLY1305 cipher to the intermediate …
5522a3e 
…configuration

### Summary

Mozilla TLS recommendations added `DHE-RSA-CHACHA20-POLY1305` cipher to intermediate in their
version 5.7, see: https://wiki.mozilla.org/Security/Server_Side_TLS

Signed-off-by: Aapo Talvensaari <[email protected]>
@bungle bungle requested a review from fffonion November 30, 2023 16:35
fffonion
fffonion approved these changes Dec 1, 2023
View reviewed changes
Copy link
Contributor

@fffonion fffonion left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

btw since we are now on OpenSSL 3.x, we can re-add TLSv1.3 and dhparams back for FIPS mode. tls1.3 is allowd per fips-140-3.

also do we want to set ssl_ecdh_curve too? I think the openssl default has included some ciphers that mozilla document doesn't like.

@bungle
Copy link
Member Author

bungle commented Dec 1, 2023

btw since we are now on OpenSSL 3.x, we can re-add TLSv1.3 and dhparams back for FIPS mode. tls1.3 is allowd per fips-140-3.

also do we want to set ssl_ecdh_curve too? I think the openssl default has included some ciphers that mozilla document doesn't like.

Yes, good points. Let’s open separate PRs for them.

@hanshuebner hanshuebner merged commit 08d989c into master Dec 4, 2023
39 checks passed
@hanshuebner hanshuebner deleted the feat/add-cipher-to-intermediate-suite branch December 4, 2023 17:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fffonion fffonion fffonion approved these changes

@hanshuebner hanshuebner hanshuebner approved these changes

Assignees

@bungle bungle

Labels
core/configuration size/S
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bungle @hanshuebner @fffonion