From 9ee7e57fc8cb331eff64e17285db5741c587e38e Mon Sep 17 00:00:00 2001 From: Damiano Donati Date: Fri, 6 Feb 2026 12:08:13 +0100 Subject: [PATCH 1/2] TLSSecurityProfile: Remove go's unsupported ciphers Following up from the dicussion in https://redhat-internal.slack.com/archives/C098FU5MRAB/p1770309657097269 We are removing DHE and CBC mode ciphers groups as they are not supported due to Go's crypto/tls limitations. Added notes and context for removed ciphers. Context: https://github.com/golang/go/issues/7758 https://github.com/golang/go/issues/26652 --- config/v1/types_tlssecurityprofile.go | 49 ++++++++------------------- 1 file changed, 14 insertions(+), 35 deletions(-) diff --git a/config/v1/types_tlssecurityprofile.go b/config/v1/types_tlssecurityprofile.go index 1e5189796e4..48657b08947 100644 --- a/config/v1/types_tlssecurityprofile.go +++ b/config/v1/types_tlssecurityprofile.go @@ -7,9 +7,10 @@ type TLSSecurityProfile struct { // type is one of Old, Intermediate, Modern or Custom. Custom provides the // ability to specify individual TLS security profile parameters. // - // The profiles are currently based on version 5.0 of the Mozilla Server Side TLS - // configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for - // forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + // The profiles are based on version 5.7 of the Mozilla Server Side TLS + // configuration guidelines. The cipher lists consist of the configuration's + // "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + // See: https://ssl-config.mozilla.org/guidelines/5.7.json // // The profiles are intent based, so they may change over time as new ciphers are // developed and existing ciphers are found to be insecure. Depending on @@ -22,9 +23,6 @@ type TLSSecurityProfile struct { // old is a TLS profile for use when services need to be accessed by very old // clients or libraries and should be used only as a last resort. // - // The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - // by the "old" profile ciphers. - // // This profile is equivalent to a Custom profile specified as: // minTLSVersion: VersionTLS10 // ciphers: @@ -37,23 +35,15 @@ type TLSSecurityProfile struct { // - ECDHE-RSA-AES256-GCM-SHA384 // - ECDHE-ECDSA-CHACHA20-POLY1305 // - ECDHE-RSA-CHACHA20-POLY1305 - // - DHE-RSA-AES128-GCM-SHA256 - // - DHE-RSA-AES256-GCM-SHA384 - // - DHE-RSA-CHACHA20-POLY1305 // - ECDHE-ECDSA-AES128-SHA256 // - ECDHE-RSA-AES128-SHA256 // - ECDHE-ECDSA-AES128-SHA // - ECDHE-RSA-AES128-SHA - // - ECDHE-ECDSA-AES256-SHA384 - // - ECDHE-RSA-AES256-SHA384 // - ECDHE-ECDSA-AES256-SHA // - ECDHE-RSA-AES256-SHA - // - DHE-RSA-AES128-SHA256 - // - DHE-RSA-AES256-SHA256 // - AES128-GCM-SHA256 // - AES256-GCM-SHA384 // - AES128-SHA256 - // - AES256-SHA256 // - AES128-SHA // - AES256-SHA // - DES-CBC3-SHA @@ -66,9 +56,6 @@ type TLSSecurityProfile struct { // legacy clients and want to remain highly secure while being compatible with // most clients currently in use. // - // The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - // by the "intermediate" profile ciphers. - // // This profile is equivalent to a Custom profile specified as: // minTLSVersion: VersionTLS12 // ciphers: @@ -81,8 +68,6 @@ type TLSSecurityProfile struct { // - ECDHE-RSA-AES256-GCM-SHA384 // - ECDHE-ECDSA-CHACHA20-POLY1305 // - ECDHE-RSA-CHACHA20-POLY1305 - // - DHE-RSA-AES128-GCM-SHA256 - // - DHE-RSA-AES256-GCM-SHA384 // // +optional // +nullable @@ -160,12 +145,14 @@ const ( // TLSProfileSpec is the desired behavior of a TLSSecurityProfile. type TLSProfileSpec struct { // ciphers is used to specify the cipher algorithms that are negotiated - // during the TLS handshake. Operators may remove entries their operands - // do not support. For example, to use DES-CBC3-SHA (yaml): + // during the TLS handshake. Operators may remove entries that their operands + // do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): // // ciphers: - // - DES-CBC3-SHA + // - ECDHE-RSA-AES128-GCM-SHA256 // + // TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + // and are always enabled when TLS 1.3 is negotiated. // +listType=atomic Ciphers []string `json:"ciphers"` // minTLSVersion is used to specify the minimal version of the TLS protocol @@ -200,9 +187,11 @@ const ( // TLSProfiles contains a map of TLSProfileType names to TLSProfileSpec. // -// These profiles are based on version 5.0 of the Mozilla Server Side TLS -// configuration guidelines (2019-06-28) with TLS 1.3 cipher suites prepended for -// forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json +// These profiles are based on version 5.7 of the Mozilla Server Side TLS +// configuration guidelines. See: https://ssl-config.mozilla.org/guidelines/5.7.json +// +// Each Ciphers slice is the configuration's "ciphersuites" followed by the +// Go-specific "ciphers" from the guidelines JSON. // // NOTE: The caller needs to make sure to check that these constants are valid // for their binary. Not all entries map to values for all binaries. In the case @@ -220,23 +209,15 @@ var TLSProfiles = map[TLSProfileType]*TLSProfileSpec{ "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-RSA-CHACHA20-POLY1305", - "DHE-RSA-AES128-GCM-SHA256", - "DHE-RSA-AES256-GCM-SHA384", - "DHE-RSA-CHACHA20-POLY1305", "ECDHE-ECDSA-AES128-SHA256", "ECDHE-RSA-AES128-SHA256", "ECDHE-ECDSA-AES128-SHA", "ECDHE-RSA-AES128-SHA", - "ECDHE-ECDSA-AES256-SHA384", - "ECDHE-RSA-AES256-SHA384", "ECDHE-ECDSA-AES256-SHA", "ECDHE-RSA-AES256-SHA", - "DHE-RSA-AES128-SHA256", - "DHE-RSA-AES256-SHA256", "AES128-GCM-SHA256", "AES256-GCM-SHA384", "AES128-SHA256", - "AES256-SHA256", "AES128-SHA", "AES256-SHA", "DES-CBC3-SHA", @@ -254,8 +235,6 @@ var TLSProfiles = map[TLSProfileType]*TLSProfileSpec{ "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-RSA-CHACHA20-POLY1305", - "DHE-RSA-AES128-GCM-SHA256", - "DHE-RSA-AES256-GCM-SHA384", }, MinTLSVersion: VersionTLS12, }, From 164ef8ee12ecc32944706fca8104f9dd33c0aff0 Mon Sep 17 00:00:00 2001 From: Damiano Donati Date: Wed, 11 Feb 2026 11:26:53 +0100 Subject: [PATCH 2/2] make update --- ...tor_01_apiservers-CustomNoUpgrade.crd.yaml | 32 +++++---------- ...ig-operator_01_apiservers-Default.crd.yaml | 32 +++++---------- ...01_apiservers-DevPreviewNoUpgrade.crd.yaml | 32 +++++---------- ...config-operator_01_apiservers-OKD.crd.yaml | 32 +++++---------- ...1_apiservers-TechPreviewNoUpgrade.crd.yaml | 32 +++++---------- .../AAA_ungated.yaml | 32 +++++---------- .../KMSEncryption.yaml | 32 +++++---------- .../KMSEncryptionProvider.yaml | 32 +++++---------- .../v1/zz_generated.swagger_doc_generated.go | 8 ++-- ..._machine-config_01_kubeletconfigs.crd.yaml | 32 +++++---------- .../AAA_ungated.yaml | 32 +++++---------- .../generated_openapi/zz_generated.openapi.go | 10 ++--- ..._50_ingress_00_ingresscontrollers.crd.yaml | 41 ++++++++----------- .../AAA_ungated.yaml | 41 ++++++++----------- ...tor_01_apiservers-CustomNoUpgrade.crd.yaml | 32 +++++---------- ...ig-operator_01_apiservers-Default.crd.yaml | 32 +++++---------- ...01_apiservers-DevPreviewNoUpgrade.crd.yaml | 32 +++++---------- ...config-operator_01_apiservers-OKD.crd.yaml | 32 +++++---------- ...1_apiservers-TechPreviewNoUpgrade.crd.yaml | 32 +++++---------- ..._machine-config_01_kubeletconfigs.crd.yaml | 32 +++++---------- 20 files changed, 201 insertions(+), 411 deletions(-) diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml index 86a51460699..2e45da09e5b 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml @@ -316,11 +316,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -345,9 +348,6 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "intermediate" profile ciphers. - This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS12 ciphers: @@ -360,8 +360,6 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: @@ -382,9 +380,6 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "old" profile ciphers. - This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS10 ciphers: @@ -397,23 +392,15 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -424,9 +411,10 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are currently based on version 5.0 of the Mozilla Server Side TLS - configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for - forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml index 50548951789..272d49db0e3 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml @@ -247,11 +247,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -276,9 +279,6 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "intermediate" profile ciphers. - This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS12 ciphers: @@ -291,8 +291,6 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: @@ -313,9 +311,6 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "old" profile ciphers. - This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS10 ciphers: @@ -328,23 +323,15 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -355,9 +342,10 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are currently based on version 5.0 of the Mozilla Server Side TLS - configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for - forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml index f4dec273978..23c43814428 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml @@ -316,11 +316,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -345,9 +348,6 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "intermediate" profile ciphers. - This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS12 ciphers: @@ -360,8 +360,6 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: @@ -382,9 +380,6 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "old" profile ciphers. - This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS10 ciphers: @@ -397,23 +392,15 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -424,9 +411,10 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are currently based on version 5.0 of the Mozilla Server Side TLS - configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for - forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-OKD.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-OKD.crd.yaml index 3809b7864c6..3c81a12e872 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-OKD.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-OKD.crd.yaml @@ -247,11 +247,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -276,9 +279,6 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "intermediate" profile ciphers. - This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS12 ciphers: @@ -291,8 +291,6 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: @@ -313,9 +311,6 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "old" profile ciphers. - This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS10 ciphers: @@ -328,23 +323,15 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -355,9 +342,10 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are currently based on version 5.0 of the Mozilla Server Side TLS - configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for - forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml index d436a75b809..1d75d68e5a6 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml @@ -248,11 +248,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -277,9 +280,6 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "intermediate" profile ciphers. - This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS12 ciphers: @@ -292,8 +292,6 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: @@ -314,9 +312,6 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "old" profile ciphers. - This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS10 ciphers: @@ -329,23 +324,15 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -356,9 +343,10 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are currently based on version 5.0 of the Mozilla Server Side TLS - configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for - forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/AAA_ungated.yaml b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/AAA_ungated.yaml index a79680a164b..cf5221c2f45 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/AAA_ungated.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/AAA_ungated.yaml @@ -247,11 +247,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -276,9 +279,6 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "intermediate" profile ciphers. - This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS12 ciphers: @@ -291,8 +291,6 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: @@ -313,9 +311,6 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "old" profile ciphers. - This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS10 ciphers: @@ -328,23 +323,15 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -355,9 +342,10 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are currently based on version 5.0 of the Mozilla Server Side TLS - configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for - forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml index 7bcfb4e0c52..a2ef296269b 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml @@ -248,11 +248,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -277,9 +280,6 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "intermediate" profile ciphers. - This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS12 ciphers: @@ -292,8 +292,6 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: @@ -314,9 +312,6 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "old" profile ciphers. - This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS10 ciphers: @@ -329,23 +324,15 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -356,9 +343,10 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are currently based on version 5.0 of the Mozilla Server Side TLS - configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for - forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml index a5725c96a88..0a9b213ea67 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml @@ -316,11 +316,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -345,9 +348,6 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "intermediate" profile ciphers. - This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS12 ciphers: @@ -360,8 +360,6 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: @@ -382,9 +380,6 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "old" profile ciphers. - This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS10 ciphers: @@ -397,23 +392,15 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -424,9 +411,10 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are currently based on version 5.0 of the Mozilla Server Side TLS - configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for - forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/config/v1/zz_generated.swagger_doc_generated.go b/config/v1/zz_generated.swagger_doc_generated.go index 7f0018950a9..69fb37c5233 100644 --- a/config/v1/zz_generated.swagger_doc_generated.go +++ b/config/v1/zz_generated.swagger_doc_generated.go @@ -3004,7 +3004,7 @@ func (OldTLSProfile) SwaggerDoc() map[string]string { var map_TLSProfileSpec = map[string]string{ "": "TLSProfileSpec is the desired behavior of a TLSSecurityProfile.", - "ciphers": "ciphers is used to specify the cipher algorithms that are negotiated during the TLS handshake. Operators may remove entries their operands do not support. For example, to use DES-CBC3-SHA (yaml):\n\n ciphers:\n - DES-CBC3-SHA", + "ciphers": "ciphers is used to specify the cipher algorithms that are negotiated during the TLS handshake. Operators may remove entries that their operands do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml):\n\n ciphers:\n - ECDHE-RSA-AES128-GCM-SHA256\n\nTLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable and are always enabled when TLS 1.3 is negotiated.", "minTLSVersion": "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n minTLSVersion: VersionTLS11", } @@ -3014,9 +3014,9 @@ func (TLSProfileSpec) SwaggerDoc() map[string]string { var map_TLSSecurityProfile = map[string]string{ "": "TLSSecurityProfile defines the schema for a TLS security profile. This object is used by operators to apply TLS security settings to operands.", - "type": "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters.\n\nThe profiles are currently based on version 5.0 of the Mozilla Server Side TLS configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced.", - "old": "old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort.\n\nThe cipher list includes TLS 1.3 ciphers for forward compatibility, followed by the \"old\" profile ciphers.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS10\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384\n - DHE-RSA-CHACHA20-POLY1305\n - ECDHE-ECDSA-AES128-SHA256\n - ECDHE-RSA-AES128-SHA256\n - ECDHE-ECDSA-AES128-SHA\n - ECDHE-RSA-AES128-SHA\n - ECDHE-ECDSA-AES256-SHA384\n - ECDHE-RSA-AES256-SHA384\n - ECDHE-ECDSA-AES256-SHA\n - ECDHE-RSA-AES256-SHA\n - DHE-RSA-AES128-SHA256\n - DHE-RSA-AES256-SHA256\n - AES128-GCM-SHA256\n - AES256-GCM-SHA384\n - AES128-SHA256\n - AES256-SHA256\n - AES128-SHA\n - AES256-SHA\n - DES-CBC3-SHA", - "intermediate": "intermediate is a TLS profile for use when you do not need compatibility with legacy clients and want to remain highly secure while being compatible with most clients currently in use.\n\nThe cipher list includes TLS 1.3 ciphers for forward compatibility, followed by the \"intermediate\" profile ciphers.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS12\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384", + "type": "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters.\n\nThe profiles are based on version 5.7 of the Mozilla Server Side TLS configuration guidelines. The cipher lists consist of the configuration's \"ciphersuites\" followed by the Go-specific \"ciphers\" from the guidelines. See: https://ssl-config.mozilla.org/guidelines/5.7.json\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced.", + "old": "old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS10\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - ECDHE-ECDSA-AES128-SHA256\n - ECDHE-RSA-AES128-SHA256\n - ECDHE-ECDSA-AES128-SHA\n - ECDHE-RSA-AES128-SHA\n - ECDHE-ECDSA-AES256-SHA\n - ECDHE-RSA-AES256-SHA\n - AES128-GCM-SHA256\n - AES256-GCM-SHA384\n - AES128-SHA256\n - AES128-SHA\n - AES256-SHA\n - DES-CBC3-SHA", + "intermediate": "intermediate is a TLS profile for use when you do not need compatibility with legacy clients and want to remain highly secure while being compatible with most clients currently in use.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS12\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305", "modern": "modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS13\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256", "custom": "custom is a user-defined TLS security profile. Be extremely careful using a custom profile as invalid configurations can be catastrophic. An example custom profile looks like this:\n\n minTLSVersion: VersionTLS11\n ciphers:\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256", } diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs.crd.yaml index 5d68283c596..62bfe308b12 100644 --- a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs.crd.yaml +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs.crd.yaml @@ -130,11 +130,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -159,9 +162,6 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "intermediate" profile ciphers. - This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS12 ciphers: @@ -174,8 +174,6 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: @@ -196,9 +194,6 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "old" profile ciphers. - This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS10 ciphers: @@ -211,23 +206,15 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -238,9 +225,10 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are currently based on version 5.0 of the Mozilla Server Side TLS - configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for - forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/kubeletconfigs.machineconfiguration.openshift.io/AAA_ungated.yaml b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/kubeletconfigs.machineconfiguration.openshift.io/AAA_ungated.yaml index 1c527d3c9f8..c73f8f7211a 100644 --- a/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/kubeletconfigs.machineconfiguration.openshift.io/AAA_ungated.yaml +++ b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/kubeletconfigs.machineconfiguration.openshift.io/AAA_ungated.yaml @@ -131,11 +131,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -160,9 +163,6 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "intermediate" profile ciphers. - This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS12 ciphers: @@ -175,8 +175,6 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: @@ -197,9 +195,6 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "old" profile ciphers. - This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS10 ciphers: @@ -212,23 +207,15 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -239,9 +226,10 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are currently based on version 5.0 of the Mozilla Server Side TLS - configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for - forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index b3a94e903fb..b50ab6320db 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -12429,7 +12429,7 @@ func schema_openshift_api_config_v1_CustomTLSProfile(ref common.ReferenceCallbac }, }, SchemaProps: spec.SchemaProps{ - Description: "ciphers is used to specify the cipher algorithms that are negotiated during the TLS handshake. Operators may remove entries their operands do not support. For example, to use DES-CBC3-SHA (yaml):\n\n ciphers:\n - DES-CBC3-SHA", + Description: "ciphers is used to specify the cipher algorithms that are negotiated during the TLS handshake. Operators may remove entries that their operands do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml):\n\n ciphers:\n - ECDHE-RSA-AES128-GCM-SHA256\n\nTLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable and are always enabled when TLS 1.3 is negotiated.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -20883,7 +20883,7 @@ func schema_openshift_api_config_v1_TLSProfileSpec(ref common.ReferenceCallback) }, }, SchemaProps: spec.SchemaProps{ - Description: "ciphers is used to specify the cipher algorithms that are negotiated during the TLS handshake. Operators may remove entries their operands do not support. For example, to use DES-CBC3-SHA (yaml):\n\n ciphers:\n - DES-CBC3-SHA", + Description: "ciphers is used to specify the cipher algorithms that are negotiated during the TLS handshake. Operators may remove entries that their operands do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml):\n\n ciphers:\n - ECDHE-RSA-AES128-GCM-SHA256\n\nTLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable and are always enabled when TLS 1.3 is negotiated.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -20920,7 +20920,7 @@ func schema_openshift_api_config_v1_TLSSecurityProfile(ref common.ReferenceCallb Properties: map[string]spec.Schema{ "type": { SchemaProps: spec.SchemaProps{ - Description: "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters.\n\nThe profiles are currently based on version 5.0 of the Mozilla Server Side TLS configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced.", + Description: "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters.\n\nThe profiles are based on version 5.7 of the Mozilla Server Side TLS configuration guidelines. The cipher lists consist of the configuration's \"ciphersuites\" followed by the Go-specific \"ciphers\" from the guidelines. See: https://ssl-config.mozilla.org/guidelines/5.7.json\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced.", Default: "", Type: []string{"string"}, Format: "", @@ -20928,13 +20928,13 @@ func schema_openshift_api_config_v1_TLSSecurityProfile(ref common.ReferenceCallb }, "old": { SchemaProps: spec.SchemaProps{ - Description: "old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort.\n\nThe cipher list includes TLS 1.3 ciphers for forward compatibility, followed by the \"old\" profile ciphers.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS10\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384\n - DHE-RSA-CHACHA20-POLY1305\n - ECDHE-ECDSA-AES128-SHA256\n - ECDHE-RSA-AES128-SHA256\n - ECDHE-ECDSA-AES128-SHA\n - ECDHE-RSA-AES128-SHA\n - ECDHE-ECDSA-AES256-SHA384\n - ECDHE-RSA-AES256-SHA384\n - ECDHE-ECDSA-AES256-SHA\n - ECDHE-RSA-AES256-SHA\n - DHE-RSA-AES128-SHA256\n - DHE-RSA-AES256-SHA256\n - AES128-GCM-SHA256\n - AES256-GCM-SHA384\n - AES128-SHA256\n - AES256-SHA256\n - AES128-SHA\n - AES256-SHA\n - DES-CBC3-SHA", + Description: "old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS10\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - ECDHE-ECDSA-AES128-SHA256\n - ECDHE-RSA-AES128-SHA256\n - ECDHE-ECDSA-AES128-SHA\n - ECDHE-RSA-AES128-SHA\n - ECDHE-ECDSA-AES256-SHA\n - ECDHE-RSA-AES256-SHA\n - AES128-GCM-SHA256\n - AES256-GCM-SHA384\n - AES128-SHA256\n - AES128-SHA\n - AES256-SHA\n - DES-CBC3-SHA", Ref: ref("github.com/openshift/api/config/v1.OldTLSProfile"), }, }, "intermediate": { SchemaProps: spec.SchemaProps{ - Description: "intermediate is a TLS profile for use when you do not need compatibility with legacy clients and want to remain highly secure while being compatible with most clients currently in use.\n\nThe cipher list includes TLS 1.3 ciphers for forward compatibility, followed by the \"intermediate\" profile ciphers.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS12\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384", + Description: "intermediate is a TLS profile for use when you do not need compatibility with legacy clients and want to remain highly secure while being compatible with most clients currently in use.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS12\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305", Ref: ref("github.com/openshift/api/config/v1.IntermediateTLSProfile"), }, }, diff --git a/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers.crd.yaml index fa03ef576c8..fd7ecdeba24 100644 --- a/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers.crd.yaml +++ b/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers.crd.yaml @@ -2005,11 +2005,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -2034,9 +2037,6 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "intermediate" profile ciphers. - This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS12 ciphers: @@ -2049,8 +2049,6 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: @@ -2071,9 +2069,6 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "old" profile ciphers. - This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS10 ciphers: @@ -2086,23 +2081,15 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -2113,9 +2100,10 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are currently based on version 5.0 of the Mozilla Server Side TLS - configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for - forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on @@ -3253,11 +3241,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array diff --git a/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml b/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml index 78744d6cb00..92527d9a474 100644 --- a/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml +++ b/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml @@ -1999,11 +1999,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -2028,9 +2031,6 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "intermediate" profile ciphers. - This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS12 ciphers: @@ -2043,8 +2043,6 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: @@ -2065,9 +2063,6 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "old" profile ciphers. - This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS10 ciphers: @@ -2080,23 +2075,15 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -2107,9 +2094,10 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are currently based on version 5.0 of the Mozilla Server Side TLS - configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for - forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on @@ -3236,11 +3224,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml index 86a51460699..2e45da09e5b 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml @@ -316,11 +316,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -345,9 +348,6 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "intermediate" profile ciphers. - This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS12 ciphers: @@ -360,8 +360,6 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: @@ -382,9 +380,6 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "old" profile ciphers. - This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS10 ciphers: @@ -397,23 +392,15 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -424,9 +411,10 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are currently based on version 5.0 of the Mozilla Server Side TLS - configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for - forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-Default.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-Default.crd.yaml index 50548951789..272d49db0e3 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-Default.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-Default.crd.yaml @@ -247,11 +247,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -276,9 +279,6 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "intermediate" profile ciphers. - This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS12 ciphers: @@ -291,8 +291,6 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: @@ -313,9 +311,6 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "old" profile ciphers. - This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS10 ciphers: @@ -328,23 +323,15 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -355,9 +342,10 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are currently based on version 5.0 of the Mozilla Server Side TLS - configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for - forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml index f4dec273978..23c43814428 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml @@ -316,11 +316,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -345,9 +348,6 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "intermediate" profile ciphers. - This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS12 ciphers: @@ -360,8 +360,6 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: @@ -382,9 +380,6 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "old" profile ciphers. - This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS10 ciphers: @@ -397,23 +392,15 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -424,9 +411,10 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are currently based on version 5.0 of the Mozilla Server Side TLS - configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for - forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-OKD.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-OKD.crd.yaml index 3809b7864c6..3c81a12e872 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-OKD.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-OKD.crd.yaml @@ -247,11 +247,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -276,9 +279,6 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "intermediate" profile ciphers. - This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS12 ciphers: @@ -291,8 +291,6 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: @@ -313,9 +311,6 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "old" profile ciphers. - This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS10 ciphers: @@ -328,23 +323,15 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -355,9 +342,10 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are currently based on version 5.0 of the Mozilla Server Side TLS - configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for - forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml index d436a75b809..1d75d68e5a6 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml @@ -248,11 +248,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -277,9 +280,6 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "intermediate" profile ciphers. - This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS12 ciphers: @@ -292,8 +292,6 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: @@ -314,9 +312,6 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "old" profile ciphers. - This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS10 ciphers: @@ -329,23 +324,15 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -356,9 +343,10 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are currently based on version 5.0 of the Mozilla Server Side TLS - configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for - forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs.crd.yaml b/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs.crd.yaml index 5d68283c596..62bfe308b12 100644 --- a/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs.crd.yaml +++ b/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs.crd.yaml @@ -130,11 +130,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -159,9 +162,6 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "intermediate" profile ciphers. - This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS12 ciphers: @@ -174,8 +174,6 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: @@ -196,9 +194,6 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "old" profile ciphers. - This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS10 ciphers: @@ -211,23 +206,15 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -238,9 +225,10 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are currently based on version 5.0 of the Mozilla Server Side TLS - configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for - forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on