search

solo-io / gloo

The Feature-rich, Kubernetes-native, Next-Generation API Gateway Built on Envoy
https://docs.solo.io/
Apache License 2.0
4.04k stars 431 forks source link

support deprecated cipher suites #5394

Open bcollard opened 2 years ago

bcollard commented 2 years ago

Is your feature request related to a problem? Please describe. For backward compatibility reasons, some users want to support deprecated ciphers, like these ones:

ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES128-SHA256
AES256-SHA256
AES128-SHA256

# Envoy style:
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Describe the solution you'd like Being able to enable them in sslParameters (downstream and upstream) Check if we need a special build of BoringSSL and Envoy to support them.

Describe alternatives you've considered adding another TLS proxy in front of Envoy

chrisgaun commented 2 years ago

The real ask is to support OpenSSL. Related issue https://github.com/envoyproxy/envoy-openssl

guydc commented 2 years ago

The real ask is to support OpenSSL. Related issue https://github.com/envoyproxy/envoy-openssl

Red Hat is using OpenSSL in one of their envoy-based products: https://maistra.io/docs/ossm-vs-community.html#ossm-openssl_ossm-vs-istio

github-actions[bot] commented 1 month ago

This issue has been marked as stale because of no activity in the last 180 days. It will be closed in the next 180 days unless it is tagged "no stalebot" or other activity occurs.