Merge pull request #4396 from hashicorp/f-tls-ciphers-12

Enable more tls 1.2 ciphers
2026-01-06 10:25:42 +03:00 · 2018-06-07 18:23:54 -04:00
parent 82f7f54fa0 9943b9bafe
commit 3a46925d8a
2 changed files with 22 additions and 9 deletions
--- a/helper/tlsutil/config.go
+++ b/helper/tlsutil/config.go
@@ -42,9 +42,17 @@ var supportedTLSCiphers = map[string]uint16{
 }

 // defaultTLSCiphers are the TLS Ciphers that are supported by default
-var defaultTLSCiphers = []string{"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
-	"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+var defaultTLSCiphers = []string{
 	"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+	"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+	"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
+	"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+	"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+	"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+	"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+	"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+	"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+	"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
 }

 // RegionSpecificWrapper is used to invoke a static Region and turns a
--- a/helper/tlsutil/config_test.go
+++ b/helper/tlsutil/config_test.go
@@ -696,9 +696,16 @@ func TestConfig_ParseCiphers_Default(t *testing.T) {
 	require := require.New(t)

 	expectedCiphers := []uint16{
-		tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
-		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
 		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+		tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
 	}

 	parsedCiphers, err := ParseCiphers("")
@@ -709,11 +716,9 @@ func TestConfig_ParseCiphers_Default(t *testing.T) {
 func TestConfig_ParseCiphers_Invalid(t *testing.T) {
 	require := require.New(t)

-	invalidCiphers := []string{"TLS_RSA_WITH_3DES_EDE_CBC_SHA",
-		"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
-		"TLS_RSA_WITH_RC4_128_SHA",
-		"TLS_ECDHE_RSA_WITH_RC4_128_SHA",
-		"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
+	invalidCiphers := []string{
+		"TLS_RSA_RSA_WITH_RC4_128_SHA",
+		"INVALID_CIPHER",
 	}

 	for _, cipher := range invalidCiphers {