Skip to content

Commit 6bb67cd

Browse files
sfleensfleen
committed
feat(meshtls): Include AES_256_GCM as a supported ciphersuite
This is a strong ciphersuite that's reasonable to include as a supported option. We still prefer CHACHA20_POLY1305 in non-FIPS modes for its speed, as well as keeping CHACHA20_POLY1305 as a backup for older proxies that only support it. Signed-off-by: Scott Fleener <[email protected]>
1 parent 34b46ab commit 6bb67cd

File tree

2 files changed

+18
-4
lines changed

2 files changed

+18
-4
lines changed

linkerd/meshtls/rustls/src/backend/aws_lc.rs

Lines changed: 13 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,8 +4,19 @@ use tokio_rustls::rustls::{
44
crypto::{aws_lc_rs, WebPkiSupportedAlgorithms},
55
};
66

7-
pub static TLS_SUPPORTED_CIPHERSUITES: &[rustls::SupportedCipherSuite] =
8-
&[rustls::crypto::aws_lc_rs::cipher_suite::TLS13_CHACHA20_POLY1305_SHA256];
7+
#[cfg(not(feature = "aws-lc-fips"))]
8+
pub static TLS_SUPPORTED_CIPHERSUITES: &[rustls::SupportedCipherSuite] = &[
9+
aws_lc_rs::cipher_suite::TLS13_CHACHA20_POLY1305_SHA256,
10+
aws_lc_rs::cipher_suite::TLS13_AES_128_GCM_SHA256,
11+
aws_lc_rs::cipher_suite::TLS13_AES_256_GCM_SHA384,
12+
];
13+
// Prefer aes-256-gcm if fips is enabled, with chaha20-poly1305 as a fallback
14+
#[cfg(feature = "aws-lc-fips")]
15+
pub static TLS_SUPPORTED_CIPHERSUITES: &[rustls::SupportedCipherSuite] = &[
16+
aws_lc_rs::cipher_suite::TLS13_AES_256_GCM_SHA384,
17+
aws_lc_rs::cipher_suite::TLS13_AES_128_GCM_SHA256,
18+
aws_lc_rs::cipher_suite::TLS13_CHACHA20_POLY1305_SHA256,
19+
];
920
pub static SUPPORTED_SIG_ALGS: &WebPkiSupportedAlgorithms = &WebPkiSupportedAlgorithms {
1021
all: &[
1122
webpki::aws_lc_rs::ECDSA_P256_SHA256,

linkerd/meshtls/rustls/src/backend/ring.rs

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,8 +4,11 @@ use tokio_rustls::rustls::{
44
crypto::{ring, WebPkiSupportedAlgorithms},
55
};
66

7-
pub static TLS_SUPPORTED_CIPHERSUITES: &[rustls::SupportedCipherSuite] =
8-
&[rustls::crypto::ring::cipher_suite::TLS13_CHACHA20_POLY1305_SHA256];
7+
pub static TLS_SUPPORTED_CIPHERSUITES: &[rustls::SupportedCipherSuite] = &[
8+
ring::cipher_suite::TLS13_CHACHA20_POLY1305_SHA256,
9+
ring::cipher_suite::TLS13_AES_128_GCM_SHA256,
10+
ring::cipher_suite::TLS13_AES_256_GCM_SHA384,
11+
];
912
// A subset of the algorithms supported by rustls+ring, imported from
1013
// https://github.com/rustls/rustls/blob/v/0.23.21/rustls/src/crypto/ring/mod.rs#L107
1114
pub static SUPPORTED_SIG_ALGS: &WebPkiSupportedAlgorithms = &WebPkiSupportedAlgorithms {

0 commit comments

Comments
 (0)