Uploaded image for project: 'OpenShift Service Mesh'
  1. OpenShift Service Mesh
  2. OSSM-1667

Remove deprecated cipher suites

    XMLWordPrintable

Details

    • Story
    • Resolution: Done
    • Undefined
    • OSSM 2.4.0
    • OSSM 2.2.0, OSSM 2.3.0
    • Envoy
    • False
    • None
    • False
    • Release Notes
    • Hide
      Support for the following cipher suites/encryption curves has been removed. Applications that require access to services using these will fail to connect if using proxy.

      TODO: list curves/suites
      Show
      Support for the following cipher suites/encryption curves has been removed. Applications that require access to services using these will fail to connect if using proxy. TODO: list curves/suites
    • Proposed
    • Sprint 59, Sprint 60, Sprint 61, Sprint 62

    Description

      This was motivated by a customer that wants to restrict which cipher suites are available for us, and removing deprecated ones would help them. We should also align with upstream Istio and Envoy's cipher suites.

       

      We should investigate ways of workaround this for affected customers. If an upstream server only offers old, removed ciphers, this would block connectivity with it. Possible solutions to investigate:

      • In a current release, log all usage of deprecated ciphers, and remove them in a subsequent release, giving time for customers to know whether they are affected or not
      • Remove them in the next release but offer a way to workaround, for instance, with an EnvoyFilter that overrides the default set of valid ciphers

      Attachments

        Activity

          People

            rhn-support-twalsh Tim Walsh
            jlongmui@redhat.com Jamie Longmuir
            Prachi Yadav
            Votes:
            6 Vote for this issue
            Watchers:
            14 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: