Skip to content

Commit 16f0b98

Browse files
openshift-merge-bot[bot]openshift-merge-bot[bot]
authored
Merge pull request #4451 from pacevedom/OCPBUGS-48735
OCPBUGS-48735: Fix default cipher suites when using TLS 1.2
2 parents 764297c + af331bc commit 16f0b98

File tree

2 files changed

+10
-0
lines changed

2 files changed

+10
-0
lines changed

etcd/vendor/github.com/openshift/microshift/pkg/config/apiserver.go

Lines changed: 5 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

pkg/config/apiserver.go

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -88,6 +88,11 @@ func (t *TLSConfig) UpdateValues() {
8888
case string(configv1.VersionTLS12):
8989
if len(t.CipherSuites) == 0 {
9090
t.CipherSuites = getIANACipherSuites(configv1.TLSProfiles[configv1.TLSProfileIntermediateType].Ciphers)
91+
} else {
92+
// Either of these cipher suites are required for TLS 1.2 in Golang, include one of them if user didnt.
93+
if !slices.Contains(t.CipherSuites, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256") && !slices.Contains(t.CipherSuites, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256") {
94+
t.CipherSuites = append(t.CipherSuites, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256")
95+
}
9196
}
9297
case string(configv1.VersionTLS13):
9398
// Golang does not allow specifying cipher suites when using tls 1.3, so we

0 commit comments

Comments
 (0)