tls: enable TLS 1.3 on the server-side (non-FIPS builds). (#5459)

Signed-off-by: Piotr Sikora <piotrsikora@google.com> Mirrored from https://github.com/envoyproxy/envoy @ 5aae1e828baef3c7543d4dc5ff7df1cf97daccc1
6 years ago · 286a22138c
parent 5b28cffa10
commit 286a22138c
1 changed files with 5 additions and 3 deletions
--- a/envoy/api/v2/auth/cert.proto
+++ b/envoy/api/v2/auth/cert.proto
@ -38,12 +38,14 @@ message TlsParameters {
  // Minimum TLS protocol version. By default, it's ``TLSv1_0``.
  TlsProtocol tls_minimum_protocol_version = 1 [(validate.rules).enum.defined_only = true];

-  // Maximum TLS protocol version. By default, it's ``TLSv1_2``.
+  // Maximum TLS protocol version. By default, it's ``TLSv1_3`` for servers in non-FIPS builds, and
+  // ``TLSv1_2`` for clients and for servers using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`.
  TlsProtocol tls_maximum_protocol_version = 2 [(validate.rules).enum.defined_only = true];

  // If specified, the TLS listener will only support the specified `cipher list
-  // <https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Cipher-suite-configuration>`_.
-  // If not specified, the default list will be used.
+  // <https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Cipher-suite-configuration>`_
+  // when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). If not
+  // specified, the default list will be used.
  //
  // In non-FIPS builds, the default cipher list is:
  //