Open duj4 opened 1 year ago
duj4
commented
1 year ago The cipher_suites list was from: https://discuss.hashicorp.com/t/configuring-tls-versions-and-cipher-suites-when-using-consul-connect-envoy/16446 https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto.html#envoy-v3-api-field-extensions-transport-sockets-tls-v3-tlsparameters-cipher-suites
jkirschner-hashicorp
commented
1 year ago Hi @duj4 - my understanding is that this response has come to you through another channel, but repeating here in case (and for any other readers).
The supported values are here: https://github.com/hashicorp/consul/blob/693c8a4706e10bc8cd212ceaf0b6728045e96e17/tlsutil/config.go#L1126-L1138. It seems like the values were provided using Envoy's string values for cipher suites rather than Consul's string values for referring to its supported cipher suites.
I submitted a docs PR to hopefully make this slightly clearer: https://github.com/hashicorp/consul/pull/15203/files
Separate thought: I wonder whether the error message could/should list supported cipher suite strings.
When filing a bug, please include the following headings if possible. Any example text in this template can be deleted.
Overview of the Issue
After setting cipher_suites, error posted when validating consul configuration file.
Reproduction Steps
Steps to reproduce this issue, eg:
tls_cipher_suites = "ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384"Consul info for both Client and Server
Both client and server are running at 1.12.2
Operating system and Environment details
RHEL 8.6
Log Fragments
After running consul validate command, error below posted: `Config validation failed: 1 error occurred: