Why “cipher_suites” in this extensions.transport_sockets.tls.v3.TlsParameters just for TLSv1_2, how to set cipher_suites for TLSv1_3 ?

envoyproxy / envoy

Cloud-native high-performance edge/middle/service proxy

https://www.envoyproxy.io

Apache License 2.0

24.83k stars 4.77k forks source link

Why “cipher_suites” in this extensions.transport_sockets.tls.v3.TlsParameters just for TLSv1_2, how to set cipher_suites for TLSv1_3 ? #34720

Closed wufanqqfsc closed 2 months ago

wufanqqfsc commented 3 months ago

Title: cipher_suites for TLSv1_3

Description:

cipher_suites (repeated string) If specified, the TLS listener will only support the specified cipher list when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). So is there any way for us to setting the cipher_suites for TLSv1_3 right now ? or we need self-extension a new parameter ? @ggreenway

alyssawilk commented 3 months ago

cc @RyanTheOptimist

ggreenway commented 3 months ago

From the BoringSSL docs:

// TLS 1.3 ciphers do not participate in this mechanism and instead have a
// built-in preference order. Functions to set cipher lists do not affect TLS
// 1.3, and functions to query the cipher list do not include TLS 1.3 ciphers.

I don't believe there's a way to configure boringssl to use a non-default set of cipher suites for TLSv1.3.

kyessenov commented 3 months ago

Correct, TLSv1.3 has mandated a set of ciphers as part of the protocol version. There is only one recommended cipher (CHACHA20-based one, non-FIPS compliant) that can possibly be adjusted.

wufanqqfsc commented 2 months ago

ok, thanks very much . Seems we have to turn to using the openssl version Envoy for these limitation of BoringSSL.