-
Notifications
You must be signed in to change notification settings - Fork 118
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[YUNIKORN-2456] Remove weak ciphers #795
Conversation
Set limited ciphers on TLS connections, removing weak ciphers. Based on the list maintained in the go standard TLS library.
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #795 +/- ##
==========================================
+ Coverage 71.58% 71.61% +0.03%
==========================================
Files 43 43
Lines 6338 6338
==========================================
+ Hits 4537 4539 +2
+ Misses 1599 1597 -2
Partials 202 202 ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 LGTM.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for late review
MinVersion: tls.VersionTLS12, | ||
Certificates: []tls.Certificate{*certs}}, | ||
MinVersion: tls.VersionTLS12, // No SSL, TLS 1.0 or TLS 1.1 support | ||
NextProtos: []string{"h2", "http/1.1"}, // prefer HTTP/2 over HTTP/1.1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we remove the cipher suits which may be treated as error by http/2 with tls 1.2?
see RFC 7540
What is this PR for?
Set limited ciphers on TLS connections, removing weak ciphers. Based on the list maintained in the go standard TLS library.
What type of PR is it?
What is the Jira issue?
How should this be tested?
Standard e2e tests cover the changes