tls: remove SHA-1 cipher suites from the defaults on the server-side (e…

…nvoyproxy#20643)

Signed-off-by: derekguo001 <dong.guo@intel.com>
Signed-off-by: Andre Vehreschild <vehre@x41-dsec.de>

docs/root/version_history/current.rst

@@ -9,6 +9,8 @@ Minor Behavior Changes
 ----------------------
 *Changes that may cause incompatibilities for some users, but should not for most*
 
+* tls: removed SHA-1 cipher suites from the server-side defaults.
+
 Bug Fixes
 ---------
 *Changes expected to improve the state of the world and are unlikely to have negative effects*

source/extensions/transport_sockets/tls/context_config_impl.cc

@@ -369,16 +369,10 @@ const std::string ServerContextConfigImpl::DEFAULT_CIPHER_SUITES =
     "ECDHE-ECDSA-AES128-GCM-SHA256:"
     "ECDHE-RSA-AES128-GCM-SHA256:"
 #endif
-    "ECDHE-ECDSA-AES128-SHA:"
-    "ECDHE-RSA-AES128-SHA:"
     "AES128-GCM-SHA256:"
-    "AES128-SHA:"
     "ECDHE-ECDSA-AES256-GCM-SHA384:"
     "ECDHE-RSA-AES256-GCM-SHA384:"
-    "ECDHE-ECDSA-AES256-SHA:"
-    "ECDHE-RSA-AES256-SHA:"
-    "AES256-GCM-SHA384:"
-    "AES256-SHA";
+    "AES256-GCM-SHA384:";
 
 const std::string ServerContextConfigImpl::DEFAULT_CURVES =
 #ifndef BORINGSSL_FIPS

test/extensions/transport_sockets/tls/ssl_socket_test.cc

@@ -4487,6 +4487,12 @@ TEST_P(SslSocketTest, CipherSuites) {
 
   // Client connects with unsupported cipher suite, connection fails.
   client_params->add_cipher_suites("ECDHE-RSA-AES128-GCM-SHA256");
+  client_params->add_cipher_suites("ECDHE-ECDSA-AES128-SHA");
+  client_params->add_cipher_suites("ECDHE-RSA-AES128-SHA");
+  client_params->add_cipher_suites("AES128-SHA");
+  client_params->add_cipher_suites("ECDHE-ECDSA-AES256-SHA");
+  client_params->add_cipher_suites("ECDHE-RSA-AES256-SHA");
+  client_params->add_cipher_suites("AES256-SHA");
   server_params->add_cipher_suites("ECDHE-RSA-CHACHA20-POLY1305");
   updateFilterChain(tls_context, *filter_chain);
   TestUtilOptionsV2 error_test_options(listener, client, false, GetParam());