-
Story
-
Resolution: Done
-
Undefined
-
OSSM 2.2.0, OSSM 2.3.0
-
False
-
None
-
False
-
Release Notes
-
-
Proposed
-
Sprint 59, Sprint 60, Sprint 61, Sprint 62
- Related PR: https://github.com/maistra/envoy/pull/180
This was motivated by a customer that wants to restrict which cipher suites are available for us, and removing deprecated ones would help them. We should also align with upstream Istio and Envoy's cipher suites.
We should investigate ways of workaround this for affected customers. If an upstream server only offers old, removed ciphers, this would block connectivity with it. Possible solutions to investigate:
- In a current release, log all usage of deprecated ciphers, and remove them in a subsequent release, giving time for customers to know whether they are affected or not
- Remove them in the next release but offer a way to workaround, for instance, with an EnvoyFilter that overrides the default set of valid ciphers