@@ -242,35 +242,41 @@ func ValidCipherSuites() []string {
242242 sort .Strings (validCipherSuites )
243243 return validCipherSuites
244244}
245+
246+ // DefaultCiphers returns the default cipher suites for TLS connections.
247+ //
248+ // RECOMMENDATION: Instead of relying on this function directly, consumers should respect
249+ // TLSSecurityProfile settings from one of the OpenShift API configuration resources:
250+ // - For API servers: Use apiserver.config.openshift.io/cluster Spec.TLSSecurityProfile
251+ // - For ingress controllers: Use operator.openshift.io/v1 IngressController Spec.TLSSecurityProfile
252+ // - For kubelet: Use machineconfiguration.openshift.io/v1 KubeletConfig Spec.TLSSecurityProfile
253+ //
254+ // These API resources allow cluster administrators to choose between Old, Intermediate,
255+ // Modern, or Custom TLS profiles. Components should observe these settings.
245256func DefaultCiphers () []uint16 {
246- // HTTP/2 mandates TLS 1.2 or higher with an AEAD cipher
247- // suite (GCM, Poly1305) and ephemeral key exchange (ECDHE, DHE) for
248- // perfect forward secrecy. Servers may provide additional cipher
249- // suites for backwards compatibility with HTTP/1.1 clients.
250- // See RFC7540, section 9.2 (Use of TLS Features) and Appendix A
251- // (TLS 1.2 Cipher Suite Black List).
257+ // Aligned with intermediate profile of the 5.7 version of the Mozilla Server
258+ // Side TLS guidelines found at: https://ssl-config.mozilla.org/guidelines/5.7.json
259+ //
260+ // Latest guidelines: https://ssl-config.mozilla.org/guidelines/latest.json
261+ //
262+ // This profile provides strong security with wide compatibility.
263+ // It requires TLS 1.2+ and uses only AEAD cipher suites (GCM, ChaCha20-Poly1305)
264+ // with ECDHE key exchange for perfect forward secrecy.
265+ //
266+ // All CBC-mode ciphers have been removed due to padding oracle vulnerabilities.
267+ // All RSA key exchange ciphers have been removed due to lack of perfect forward secrecy.
268+ //
269+ // HTTP/2 compliance: All ciphers are compliant with RFC7540, section 9.2.
252270 return []uint16 {
271+ // TLS 1.2 cipher suites with ECDHE + AEAD
253272 tls .TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 ,
254273 tls .TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 ,
255274 tls .TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ,
256- tls .TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 , // required by http /2
275+ tls .TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 , // required by HTTP /2
257276 tls .TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ,
258277 tls .TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ,
259- tls .TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 , // forbidden by http/2, not flagged by http2isBadCipher() in go1.8
260- tls .TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 , // forbidden by http/2, not flagged by http2isBadCipher() in go1.8
261- tls .TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA , // forbidden by http/2
262- tls .TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA , // forbidden by http/2
263- tls .TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA , // forbidden by http/2
264- tls .TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA , // forbidden by http/2
265- tls .TLS_RSA_WITH_AES_128_GCM_SHA256 , // forbidden by http/2
266- tls .TLS_RSA_WITH_AES_256_GCM_SHA384 , // forbidden by http/2
267- // the next one is in the intermediate suite, but go1.8 http2isBadCipher() complains when it is included at the recommended index
268- // because it comes after ciphers forbidden by the http/2 spec
269- // tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
270- // tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, // forbidden by http/2, disabled to mitigate SWEET32 attack
271- // tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA, // forbidden by http/2, disabled to mitigate SWEET32 attack
272- tls .TLS_RSA_WITH_AES_128_CBC_SHA , // forbidden by http/2
273- tls .TLS_RSA_WITH_AES_256_CBC_SHA , // forbidden by http/2
278+
279+ // TLS 1.3 cipher suites (negotiated automatically, not configurable)
274280 tls .TLS_AES_128_GCM_SHA256 ,
275281 tls .TLS_AES_256_GCM_SHA384 ,
276282 tls .TLS_CHACHA20_POLY1305_SHA256 ,
0 commit comments