Consider Configuring `tls_prefer_server_cipher_suites` in the Helm-Chart

hashicorp / consul-k8s

First-class support for Consul Service Mesh on Kubernetes

https://www.consul.io/docs/k8s

Mozilla Public License 2.0

668 stars 321 forks source link

Consider Configuring `tls_prefer_server_cipher_suites` in the Helm-Chart #1188

Open NodyHub opened 2 years ago

NodyHub commented 2 years ago

It may be useful to consider using the tls_prefer_server_cipher_suites configuration option in the Helm-Chart. The default configures the Consul server to pick the client's preferred cipher suite instead of enforcing the server's preferred cipher suite.

NodyHub commented 2 years ago

As we from the product security team recommend in vault (#26, #43, #53), it would also be recommended to configure these parameter on the consul site.

Even is this configuration gets somewhen outdated from go version 1.17, it might take a while to migrate consul up from version 1.13.