🔒 Update supported TLS cipher suites #3962
Conversation
|
Thanks for the PR @canterberry! Prior to review it'd be worth investigating out the source of the test failures here. You can run tests locally with |
pearkes
added
the
waiting-reply
|
Thanks for the comment @pearkes! At the time I forked for this PR, the Edit: Ah, it does look like it might be a legitimate failure. Investigating… |
|
@pearkes Fixed. The failing tests were due to differences in the three different configuration definitions in the test suite, which all need to be in sync for the expectations to work out properly. The error reported by the failing test is misleading -- it seems to occur if any definition within the JSON or HCL payloads do not match up with the corresponding values in the The most recent failing Travis build appears to be sporadic. Local builds are failing for me due to the HTTP test suite creating too many open files, but the tests shown by Travis CI as failing do pass for me locally. |
The list of cipher suites included in this commit are consistent with the values and precedence in the [Golang TLS documentation](https://golang.org/src/crypto/tls/cipher_suites.go). > **Note:** Cipher suites with RC4 are still included within the list > of accepted values for compatibility, but **these cipher suites are > not safe to use** and should be deprecated with warnings and > subsequently removed. Support for RC4 ciphers has already been > removed or disabled by default in many prominent browsers and tools, > including Golang. > > **References:** > > * [RC4 on Wikipedia](https://en.wikipedia.org/wiki/RC4) > * [Mozilla Security Blog](https://blog.mozilla.org/security/2015/09/11/deprecating-the-rc4-cipher/)
|
(squashing latest two commits to coerce a Travis CI rebuild) |
canterberry
force-pushed
the
upgrade/tls-cipher-suites
branch
from
dc4568e
to
7236c95
Compare
| testrpc.WaitForLeader(t, s1.RPC, "dc1") | ||
|
|
||
| err:= s1.revokeLeadership() | ||
| err := s1.revokeLeadership() |
There was a problem hiding this comment.
Note: The seemingly spurious changes in this file result from changes applied by make format. An identical diff for this file can be achieved by running this command against the current HEAD of the master branch.
|
Thanks @canterberry! |
The list of cipher suites included in this commit are consistent with the values and precedence in the Golang TLS documentation.
Removed
No cipher suites were removed in this PR. For existing cipher suites, only the order has changed.
Added
The following cipher suites were added in this PR:
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305TLS_RSA_WITH_AES_128_CBC_SHA256Security Note
Cipher suites with RC4 are still included within the list of accepted values for compatibility, but these cipher suites are not safe to use and should be deprecated with warnings and subsequently removed. Support for RC4 ciphers has already been removed or disabled by default in many prominent browsers and tools, including Golang.
References