Skip to content

Commit b5d48c5

Browse files
richardsonnickcursoragent
richardsonnick
and
cursoragent
committed
Regenerate TLSAdherence manifest with updated TLS profiles
Co-authored-by: Cursor <cursoragent@cursor.com>
1 parent d6855c1 commit b5d48c5

1 file changed

Lines changed: 10 additions & 22 deletions

File tree

  • config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io

config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/TLSAdherence.yaml

Lines changed: 10 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -276,11 +276,14 @@ spec:
276276
ciphers:
277277
description: |-
278278
ciphers is used to specify the cipher algorithms that are negotiated
279-
during the TLS handshake. Operators may remove entries their operands
280-
do not support. For example, to use DES-CBC3-SHA (yaml):
279+
during the TLS handshake. Operators may remove entries that their operands
280+
do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml):
281281
282282
ciphers:
283-
- DES-CBC3-SHA
283+
- ECDHE-RSA-AES128-GCM-SHA256
284+
285+
TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable
286+
and are always enabled when TLS 1.3 is negotiated.
284287
items:
285288
type: string
286289
type: array
@@ -305,9 +308,6 @@ spec:
305308
legacy clients and want to remain highly secure while being compatible with
306309
most clients currently in use.
307310
308-
The cipher list includes TLS 1.3 ciphers for forward compatibility, followed
309-
by the "intermediate" profile ciphers.
310-
311311
This profile is equivalent to a Custom profile specified as:
312312
minTLSVersion: VersionTLS12
313313
ciphers:
@@ -320,8 +320,6 @@ spec:
320320
- ECDHE-RSA-AES256-GCM-SHA384
321321
- ECDHE-ECDSA-CHACHA20-POLY1305
322322
- ECDHE-RSA-CHACHA20-POLY1305
323-
- DHE-RSA-AES128-GCM-SHA256
324-
- DHE-RSA-AES256-GCM-SHA384
325323
nullable: true
326324
type: object
327325
modern:
@@ -342,9 +340,6 @@ spec:
342340
old is a TLS profile for use when services need to be accessed by very old
343341
clients or libraries and should be used only as a last resort.
344342
345-
The cipher list includes TLS 1.3 ciphers for forward compatibility, followed
346-
by the "old" profile ciphers.
347-
348343
This profile is equivalent to a Custom profile specified as:
349344
minTLSVersion: VersionTLS10
350345
ciphers:
@@ -357,23 +352,15 @@ spec:
357352
- ECDHE-RSA-AES256-GCM-SHA384
358353
- ECDHE-ECDSA-CHACHA20-POLY1305
359354
- ECDHE-RSA-CHACHA20-POLY1305
360-
- DHE-RSA-AES128-GCM-SHA256
361-
- DHE-RSA-AES256-GCM-SHA384
362-
- DHE-RSA-CHACHA20-POLY1305
363355
- ECDHE-ECDSA-AES128-SHA256
364356
- ECDHE-RSA-AES128-SHA256
365357
- ECDHE-ECDSA-AES128-SHA
366358
- ECDHE-RSA-AES128-SHA
367-
- ECDHE-ECDSA-AES256-SHA384
368-
- ECDHE-RSA-AES256-SHA384
369359
- ECDHE-ECDSA-AES256-SHA
370360
- ECDHE-RSA-AES256-SHA
371-
- DHE-RSA-AES128-SHA256
372-
- DHE-RSA-AES256-SHA256
373361
- AES128-GCM-SHA256
374362
- AES256-GCM-SHA384
375363
- AES128-SHA256
376-
- AES256-SHA256
377364
- AES128-SHA
378365
- AES256-SHA
379366
- DES-CBC3-SHA
@@ -384,9 +371,10 @@ spec:
384371
type is one of Old, Intermediate, Modern or Custom. Custom provides the
385372
ability to specify individual TLS security profile parameters.
386373
387-
The profiles are currently based on version 5.0 of the Mozilla Server Side TLS
388-
configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for
389-
forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json
374+
The profiles are based on version 5.7 of the Mozilla Server Side TLS
375+
configuration guidelines. The cipher lists consist of the configuration's
376+
"ciphersuites" followed by the Go-specific "ciphers" from the guidelines.
377+
See: https://ssl-config.mozilla.org/guidelines/5.7.json
390378
391379
The profiles are intent based, so they may change over time as new ciphers are
392380
developed and existing ciphers are found to be insecure. Depending on

0 commit comments

Comments
 (0)