From f0c141b863edfdf21d72ec2cd1a612ce87b78db8 Mon Sep 17 00:00:00 2001 From: Michael Boquard Date: Tue, 19 Nov 2024 21:14:52 -0500 Subject: [PATCH] config/tls: Updated TLS cipher string to include ECDSA ciphers This was a miss when #19792 landed. Only RSA based cipher strings were included in the list. This wasn't caught because our integration tests only use RSA based certificates. Also this may have taken some time for customers to find as this bug didn't effect TLSv1.3. Signed-off-by: Michael Boquard --- src/v/config/tls_config.h | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/v/config/tls_config.h b/src/v/config/tls_config.h index c9f248e963508..640e106e4fe63 100644 --- a/src/v/config/tls_config.h +++ b/src/v/config/tls_config.h @@ -62,9 +62,11 @@ struct p12_container { using key_cert_container = std::variant; inline constexpr std::string_view tlsv1_2_cipher_string - = "ECDHE-RSA-AES128-GCM-SHA256:AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:" - "AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:AES128-" - "SHA:AES128-CCM:ECDHE-RSA-AES256-SHA:AES256-SHA:AES256-CCM"; + = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:AES128-GCM-" + "SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:AES256-" + "GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305:" + "ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:AES128-SHA:AES128-CCM:ECDHE-" + "RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES256-SHA:AES256-CCM"; inline constexpr std::string_view tlsv1_3_ciphersuites = "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_"