Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a way to configure the cipher suite used for TLS #1605

Closed
urmilparikh95 opened this issue Aug 3, 2023 · 4 comments · Fixed by #1952
Closed

Add a way to configure the cipher suite used for TLS #1605

urmilparikh95 opened this issue Aug 3, 2023 · 4 comments · Fixed by #1952
Labels
enhancement New feature or request priority/undecided Not yet prioritized

Comments

@urmilparikh95
Copy link

urmilparikh95 commented Aug 3, 2023

Is your feature request related to a problem? Please describe.

Currently the cipher suites used by pinniped for TLS are hard-coded. So there is no way to configure them based on user specific requirements.

Describe the solution you'd like

Allow a config which can override/add/limit the hard-coded ciphers.

@joshuatcasey
Copy link
Member

joshuatcasey commented Aug 3, 2023

Thanks for the issue. I suspect what we should do is allow the user to limit the hard-coded ciphers. I think this would be like performing a union intersection on the hard-coded and the provided ciphers to achieve the actual result.

For example, if this is the hardcoded list:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384

And this is the user-provided list:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305

The resulting ciphers will actually be configured:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

@urmilparikh95
Copy link
Author

You mean an intersection right. Not a Union. I believe that should solve the current issue

@AllieChen01
Copy link

Hello team, I have one customer requests adding the ability to configure the ciphers to Pinniped.
added the feature to open source Pinniped for TKGm 2.4.

RSA_WITH_AES_128_CBC_SHA
RSA_WITH_AES_256_CBC_SHA
RSA_WITH_AES_128_CBC_SHA256
RSA_WITH_AES_256_CBC_SHA256
RSA_WITH_AES_128_GCM_SHA256
RSA_WITH_AES_256_GCM_SHA384

@joshuatcasey
Copy link
Member

I will start this work for opensource Pinniped soon. Adding the feature to a product that uses Pinniped (such as TKGm) is a different scope of work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request priority/undecided Not yet prioritized
Projects
None yet
4 participants