cli, security: add support for configurable TLS cipher suites #137663
+291
−4
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![blathers[crl]](https://avatars.githubusercontent.com/in/59700?s=40&u=373d9101a12edc3847d2fb6ae78e3adcfb4ca41e&v=4){kind=avatar}
|
It looks like your PR touches production code but doesn't add or edit any test code. Did you consider adding tests to your PR? 🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is dev-inf. |
|
This change is |
souravcrl
force-pushed
the
configure-tls-ciphers
branch
from
50f89cd to
510ac96
Compare
souravcrl
force-pushed
the
configure-tls-ciphers
branch
3 times, most recently
from
e6e74d4 to
e7ff003
Compare
souravcrl
force-pushed
the
configure-tls-ciphers
branch
from
e7ff003 to
989aa5a
Compare
souravcrl
changed the title
pritesh-lahoti
approved these changes
Jan 9, 2025
There was a problem hiding this comment.
Reviewed 10 of 10 files at r1, 9 of 9 files at r2, all commit messages.
Reviewable status:complete! 0 of 0 LGTMs obtained (waiting on @cthumuluru-crdb)
souravcrl
added
backport-24.1.x
souravcrl
force-pushed
the
configure-tls-ciphers
branch
6 times, most recently
from
338f9b3 to
ef69b20
Compare
fixes cockroachdb#136999 Epic CRDB-45351 Release Note(security,ops): We will be providing a new cockroach start command cli flag `tls-cipher-suites` which is a string of comma separated list of cipher suites to be used for all incoming TLS connections to the node. For TLS 1.2, this should strictly be a subset of suites defined in security/tls_ciphersuites.go as RecommendedCipherSuites or OldCipherSuites. For TLS 1.3, this should be configured to a subset of ciphers in crypto/tls/cipher_suites.go. The flag will restrict TLS connections to the node for all 3 types of connection(i.e. sql, rpc, http) where node acts as the server for the connections and close non-conforming ones.
souravcrl
force-pushed
the
configure-tls-ciphers
branch
from
ef69b20 to
48a8538
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
cli, security: add support for configurable TLS cipher suites
fixes #136999
Epic CRDB-45351
Release Note(security,ops): We will be providing a new cockroach start command
cli flag
tls-cipher-suiteswhich is a string of comma separated list of ciphersuites to be used for all incoming TLS connections to the node. For TLS 1.2,
this should strictly be a subset of suites defined in
security/tls_ciphersuites.go as RecommendedCipherSuites or OldCipherSuites. For
TLS 1.3, this should be configured to a subset of ciphers in
crypto/tls/cipher_suites.go. The flag will restrict TLS connections to the node
for all 3 types of connection(i.e. sql, rpc, http) where node acts as the server
for the connections and close non-conforming ones.