-
Notifications
You must be signed in to change notification settings - Fork 9.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Backport #14500 to 3.4 #14601
Backport #14500 to 3.4 #14601
Conversation
…oxy listener Signed-off-by: Allen Ray <alray@redhat.com>
Backporting #14308 |
switch s { | ||
case "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305": | ||
return tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, true | ||
case "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305": | ||
return tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, true | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Golang 1.16.15 already includes these two cipher suites, why do you process them separately?
FYI. https://github.com/golang/go/blob/go1.16.15/src/crypto/tls/cipher_suites.go#L71-L72
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This may be a unneeded copy from Sam's original PR; I don't have a specific reason to have this. I would be happy to remove it, however it does align this version with the future versions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the future versions
Do you mean future golang version? All golang future version already includes these two cipher suites. So we need to remove them from main and release-3.5 as well.
@ptabor could you share the thought why did you add this (process these two cipher suite separately) in the first place?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Double checked the go library src, it includes both TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
and TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
, but we (etcd) also supports TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
and TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
. Let keep it as it's for now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Thank you @dusk125
server/etcdmain: add configurable cipher list to gRPC proxy listener