tls: remove RSA key transport cipher suites from the defaults on the server-side (#20862)

Fixes #5399 Signed-off-by: derekguo001 <dong.guo@intel.com> Mirrored from https://github.com/envoyproxy/envoy @ 42134ce7d9369c4023c3b5db08d4a73dca1cb6ad
3 years ago · 336d781de7
parent 4e7af549d0
commit 336d781de7
1 changed files with 2 additions and 8 deletions
--- a/envoy/extensions/transport_sockets/tls/v3/common.proto
+++ b/envoy/extensions/transport_sockets/tls/v3/common.proto
@ -57,6 +57,8 @@ message TlsParameters {
  //
  // If not specified, a default list will be used. Defaults are different for server (downstream) and
  // client (upstream) TLS configurations.
+  // Defaults will change over time in response to security considerations; If you care, configure
+  // it instead of using the default.
  //
  // In non-FIPS builds, the default server cipher list is:
  //
@ -66,14 +68,10 @@ message TlsParameters {
  //   [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]
  //   ECDHE-ECDSA-AES128-SHA
  //   ECDHE-RSA-AES128-SHA
-  //   AES128-GCM-SHA256
-  //   AES128-SHA
  //   ECDHE-ECDSA-AES256-GCM-SHA384
  //   ECDHE-RSA-AES256-GCM-SHA384
  //   ECDHE-ECDSA-AES256-SHA
  //   ECDHE-RSA-AES256-SHA
-  //   AES256-GCM-SHA384
-  //   AES256-SHA
  //
  // In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default server cipher list is:
  //
@ -83,14 +81,10 @@ message TlsParameters {
  //   ECDHE-RSA-AES128-GCM-SHA256
  //   ECDHE-ECDSA-AES128-SHA
  //   ECDHE-RSA-AES128-SHA
-  //   AES128-GCM-SHA256
-  //   AES128-SHA
  //   ECDHE-ECDSA-AES256-GCM-SHA384
  //   ECDHE-RSA-AES256-GCM-SHA384
  //   ECDHE-ECDSA-AES256-SHA
  //   ECDHE-RSA-AES256-SHA
-  //   AES256-GCM-SHA384
-  //   AES256-SHA
  //
  // In non-FIPS builds, the default client cipher list is:
  //