From 222f96b2e36b09969cea3ea261a594b1a697b757 Mon Sep 17 00:00:00 2001 From: Tim O'Keefe Date: Fri, 1 Jul 2022 10:30:23 -0400 Subject: [PATCH] OSSMDOC-602: updated cipher suite doc for SMCP v2 --- modules/ossm-security-cipher-1x.adoc | 47 ++++++++++++++++++++++++++++ modules/ossm-security-cipher.adoc | 3 +- service_mesh/v1x/ossm-security.adoc | 2 +- 3 files changed, 49 insertions(+), 3 deletions(-) create mode 100644 modules/ossm-security-cipher-1x.adoc diff --git a/modules/ossm-security-cipher-1x.adoc b/modules/ossm-security-cipher-1x.adoc new file mode 100644 index 000000000000..9caf018e8945 --- /dev/null +++ b/modules/ossm-security-cipher-1x.adoc @@ -0,0 +1,47 @@ +// Module included in the following assemblies: +// +// * service_mesh/v1x/ossm-security.adoc + +[id="ossm-security-cipher-1x_{context}"] += Configuring cipher suites and ECDH curves + +Cipher suites and Elliptic-curve Diffie–Hellman (ECDH curves) can help you secure your service mesh. You can define a comma separated list of cipher suites using `spec.istio.global.tls.cipherSuites` and ECDH curves using `spec.istio.global.tls.ecdhCurves` in your `ServiceMeshControlPlane` resource. If either of these attributes are empty, then the default values are used. + +The `cipherSuites` setting is effective if your service mesh uses TLS 1.2 or earlier. It has no effect when negotiating with TLS 1.3. + +Set your cipher suites in the comma separated list in order of priority. For example, `ecdhCurves: CurveP256, CurveP384` sets `CurveP256` as a higher priority than `CurveP384`. + +[NOTE] +==== +You must include either `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256` or `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256` when you configure the cipher suite. HTTP/2 support requires at least one of these cipher suites. + +==== + +The supported cipher suites are: + +* TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 +* TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 +* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 +* TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 +* TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 +* TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 +* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 +* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA +* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 +* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA +* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA +* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA +* TLS_RSA_WITH_AES_128_GCM_SHA256 +* TLS_RSA_WITH_AES_256_GCM_SHA384 +* TLS_RSA_WITH_AES_128_CBC_SHA256 +* TLS_RSA_WITH_AES_128_CBC_SHA +* TLS_RSA_WITH_AES_256_CBC_SHA +* TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA +* TLS_RSA_WITH_3DES_EDE_CBC_SHA + +The supported ECDH Curves are: + +* CurveP256 +* CurveP384 +* CurveP521 +* X25519 diff --git a/modules/ossm-security-cipher.adoc b/modules/ossm-security-cipher.adoc index 25e23b0d58b9..bf90061ca906 100644 --- a/modules/ossm-security-cipher.adoc +++ b/modules/ossm-security-cipher.adoc @@ -1,12 +1,11 @@ // Module included in the following assemblies: // -// * service_mesh/v1x/ossm-security.adoc // * service_mesh/v2x/ossm-security.adoc [id="ossm-security-cipher_{context}"] = Configuring cipher suites and ECDH curves -Cipher suites and Elliptic-curve Diffie–Hellman (ECDH curves) can help you secure your service mesh. You can define a comma separated list of cipher suites using `spec.istio.global.tls.cipherSuites` and ECDH curves using `spec.istio.global.tls.ecdhCurves` in your `ServiceMeshControlPlane` resource. If either of these attributes are empty, then the default values are used. +Cipher suites and Elliptic-curve Diffie–Hellman (ECDH curves) can help you secure your service mesh. You can define a comma separated list of cipher suites using `spec.security.controlplane.tls.cipherSuites` and ECDH curves using `spec.security.controlplane.tls.ecdhCurves` in your `ServiceMeshControlPlane` resource. If either of these attributes are empty, then the default values are used. The `cipherSuites` setting is effective if your service mesh uses TLS 1.2 or earlier. It has no effect when negotiating with TLS 1.3. diff --git a/service_mesh/v1x/ossm-security.adoc b/service_mesh/v1x/ossm-security.adoc index f10d55ffbd06..c74e1095f64a 100644 --- a/service_mesh/v1x/ossm-security.adoc +++ b/service_mesh/v1x/ossm-security.adoc @@ -12,6 +12,6 @@ If your service mesh application is constructed with a complex array of microser include::modules/ossm-security-mtls-1x.adoc[leveloffset=+1] -include::modules/ossm-security-cipher.adoc[leveloffset=+1] +include::modules/ossm-security-cipher-1x.adoc[leveloffset=+1] include::modules/ossm-security-cert-manage.adoc[leveloffset=+1]