Tune TLS settings

[howardjohn]

Should use a strict cipher set and TLS 1.3 only

[stevenctl]

Restrict to 1.3

Use a strict cipher set

[EItanya]

Should this be configurable or static?

[hzxuzhonghu]

in some older kernel , tls 1.3 can not be supported, why not like envoy make min version tls 1.2

[howardjohn]

Why is the kernel involved? TLS is done is user space...?

[hzxuzhonghu]

To be accurate it should be the lib that an os installed

[howardjohn]

We statically link the SSL library (like Envoy and Go)

[hzxuzhonghu]

IC, that make sense

[ymesika]

Is this task for tuning the HBONE connection TLS settings?
I'm asking because currently min/max version is already 1.3: https://github.com/istio/ztunnel/blob/master/src/tls/boring.rs#L172

[howardjohn]

Yes, its more than just version. The SSL libraries are probably the most unfriendly APIs ever designed. For every option, there are 3 ways to set it, and there are 100s of options. We need to make sure we pick the ones that are most secure and performant.

[SkyfireFrancisZ]

@howardjohn has this been implemented already? If not, is this required for zTunnel reaching Alpha in OSS?

[howardjohn]

IMO it should be a blocker for someone to give it a pass over to make sure we are using secure settings. Shouldn't be too much effort