Skip to content

pkg/crypto: OpenSSL-to-IANA ciphers mapping: Remove go's unsupported cipher, add missing ones #2119

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
damdo wants to merge 3 commits into
base: master
Choose a base branch
from
Open

pkg/crypto: OpenSSL-to-IANA ciphers mapping: Remove go's unsupported cipher, add missing ones #2119

damdo wants to merge 3 commits into from

Conversation

@damdo
Copy link
Member

@damdo damdo commented Feb 5, 2026
edited
Loading

A modified revert of #2118, to partially reintroduce #2080 and add comments on the reasoning regarding missing cipher mappings and explaining how to maintain the mappings list.

We want to have a mapping for all OpenSSL ciphers defined in https://github.com/openshift/api/blob/master/config/v1/types_tlssecurityprofile.go
so then we can translate them to IANA ciphers, which is what go's crypto/tls understands.

We want to make sure both the openshift/api and these mappings are also compatible with go's crypto/tls ciphers: https://github.com/golang/go/blob/d4febb45179fa99ee1d5783bcb693ed7ba14115c/src/crypto/tls/cipher_suites.go#L682-L724

More details here: #2080 (comment)
And here: https://redhat-internal.slack.com/archives/C098FU5MRAB/p1770309657097269

--

openshift/api PR counterpart: openshift/api#2697

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Feb 5, 2026
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 5, 2026

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@damdo damdo mentioned this pull request Feb 5, 2026
Merged
@damdo damdo force-pushed the revert-2118-revert-2080-pkg-crypto-update-openSSLToIANACiphers branch 3 times, most recently from d9d9295 to d5680c2 Compare February 6, 2026 08:46
@damdo damdo marked this pull request as ready for review February 6, 2026 08:47
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Feb 6, 2026
@damdo
Copy link
Member Author

damdo commented Feb 6, 2026

/retitle pkg/crypto: OpenSSL-to-IANA ciphers mapping: Remove go's unsupported cipher, add missing ones

@openshift-ci openshift-ci bot changed the title Revert "Revert "pkg/crypto: Add missing cipher suites to OpenSSL-to-IANA ciphers mapping"" pkg/crypto: OpenSSL-to-IANA ciphers mapping: Remove go's unsupported cipher, add missing ones Feb 6, 2026
@damdo
Copy link
Member Author

damdo commented Feb 6, 2026

/assign @p0lyn0mial @joelanford @richardsonnick

bertinatto
bertinatto reviewed Feb 6, 2026
View reviewed changes
Copy link
Member

@bertinatto bertinatto left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sanchezl could you help review these changes?

@damdo could you create a proof PR where you bump library-go in an operator (example, KASO) to use your changes? Thanks!

@damdo damdo mentioned this pull request Feb 6, 2026
Open
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 6, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: damdo
Once this PR has been reviewed and has the lgtm label, please ask for approval from p0lyn0mial. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@damdo damdo mentioned this pull request Feb 6, 2026
Open
@damdo
Copy link
Member Author

damdo commented Feb 6, 2026

@bertinatto here it is: openshift/cluster-kube-apiserver-operator#2034

@damdo
Copy link
Member Author

damdo commented Feb 6, 2026

/hold

Until openshift/api#2697 merges

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 6, 2026
@damdo
Copy link
Member Author

damdo commented Feb 6, 2026

@bertinatto @p0lyn0mial @ardaguclu CI has finished on openshift/cluster-kube-apiserver-operator#2034 are we happy with the results?

@damdo damdo force-pushed the revert-2118-revert-2080-pkg-crypto-update-openSSLToIANACiphers branch from b802cda to ce4ea87 Compare February 10, 2026 09:24
@damdo
Copy link
Member Author

damdo commented Feb 10, 2026

/test unit

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 10, 2026

@damdo: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bertinatto bertinatto bertinatto left review comments

@hexfusion hexfusion Awaiting requested review from hexfusion

Assignees

@joelanford joelanford

@p0lyn0mial p0lyn0mial

@richardsonnick richardsonnick

Labels

do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@damdo @bertinatto @joelanford @p0lyn0mial @richardsonnick