-
Notifications
You must be signed in to change notification settings - Fork 95
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tune TLS settings #21
Comments
Restrict to 1.3 Use a strict cipher set |
Should this be configurable or static? |
in some older kernel , tls 1.3 can not be supported, why not like envoy make min version tls 1.2 |
Why is the kernel involved? TLS is done is user space...? |
To be accurate it should be the lib that an os installed |
We statically link the SSL library (like Envoy and Go) |
IC, that make sense |
Is this task for tuning the HBONE connection TLS settings? |
Yes, its more than just version. The SSL libraries are probably the most unfriendly APIs ever designed. For every option, there are 3 ways to set it, and there are 100s of options. We need to make sure we pick the ones that are most secure and performant. |
@howardjohn has this been implemented already? If not, is this required for zTunnel reaching Alpha in OSS? |
IMO it should be a blocker for someone to give it a pass over to make sure we are using secure settings. Shouldn't be too much effort |
Should use a strict cipher set and TLS 1.3 only
The text was updated successfully, but these errors were encountered: