You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I didn't catch that in 7f66b09 when the TLS cipher list was moved to an external file, it got a lot longer and included some cipher suites that we do not support (for example, we don't support any PSK ciphers). How was this longer list generated? This list also includes only TLS 1.2 ciphers; the TLS 1.3 ciphers are not present.
In TLS 1.3, we support the following ciphers (source):
It looks like you may have pulled the full list of IETF-recommended ciphers, but the actual answer is the ciphers that are
Recommended by IETF
Implemented in Go (this excludes the CCM ciphers among others)
Applicable to our configuration (this would exclude PSK ciphers even if they were implemented in Go)
And all of this is for standard builds; FIPS builds have their own cipher lists that are documented in https://www.cockroachlabs.com/docs/stable/fips#in-flight (correctly, I think? I'm not sure if FIPS builds add the TLS 1.3 AES-CCM ciphers).
Benjamin Darnell (bdarnell) commented:
I didn't catch that in 7f66b09 when the TLS cipher list was moved to an external file, it got a lot longer and included some cipher suites that we do not support (for example, we don't support any PSK ciphers). How was this longer list generated? This list also includes only TLS 1.2 ciphers; the TLS 1.3 ciphers are not present.
In TLS 1.3, we support the following ciphers (source):
In TLS 1.2, we support the following ciphers by default (source):
The following ciphers are disabled by default but may be enabled with the COCKROACH_TLS_ENABLE_OLD_CIPHER_SUITES environment variable:
It looks like you may have pulled the full list of IETF-recommended ciphers, but the actual answer is the ciphers that are
And all of this is for standard builds; FIPS builds have their own cipher lists that are documented in https://www.cockroachlabs.com/docs/stable/fips#in-flight (correctly, I think? I'm not sure if FIPS builds add the TLS 1.3 AES-CCM ciphers).
Jira Issue: DOC-10076
The text was updated successfully, but these errors were encountered: