From 4f96a68ae4a3055d162d9a4a0e5ce842f5ca9d3f Mon Sep 17 00:00:00 2001
From: "data-plane-api(CircleCI)" <data-plane-api@users.noreply.github.com>
Date: Wed, 9 May 2018 04:52:31 +0000
Subject: [PATCH] tls: remove legacy SHA-2 CBC cipher suites. (#3316)

They are insecure and were removed from BoringSSL codebase in
https://boringssl-review.googlesource.com/c/boringssl/+/27944

Signed-off-by: Piotr Sikora <piotrsikora@google.com>

Mirrored from https://github.com/envoyproxy/envoy @ 01aea23f6bca771ad7918d049d2bee05ac316b33
---
 envoy/api/v2/auth/cert.proto | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/envoy/api/v2/auth/cert.proto b/envoy/api/v2/auth/cert.proto
index 8e78a8d1..51b76c05 100644
--- a/envoy/api/v2/auth/cert.proto
+++ b/envoy/api/v2/auth/cert.proto
@@ -47,21 +47,15 @@ message TlsParameters {
   //
   //   [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
   //   [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]
-  //   ECDHE-ECDSA-AES128-SHA256
-  //   ECDHE-RSA-AES128-SHA256
   //   ECDHE-ECDSA-AES128-SHA
   //   ECDHE-RSA-AES128-SHA
   //   AES128-GCM-SHA256
-  //   AES128-SHA256
   //   AES128-SHA
   //   ECDHE-ECDSA-AES256-GCM-SHA384
   //   ECDHE-RSA-AES256-GCM-SHA384
-  //   ECDHE-ECDSA-AES256-SHA384
-  //   ECDHE-RSA-AES256-SHA384
   //   ECDHE-ECDSA-AES256-SHA
   //   ECDHE-RSA-AES256-SHA
   //   AES256-GCM-SHA384
-  //   AES256-SHA256
   //   AES256-SHA
   //
   // will be used.