-
Notifications
You must be signed in to change notification settings - Fork 5.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
util: Disable 3DES ciphers for TLS connections (#27690) #27859
util: Disable 3DES ciphers for TLS connections (#27690) #27859
Conversation
Signed-off-by: ti-srebot <ti-srebot@pingcap.com>
[REVIEW NOTIFICATION] This pull request has been approved by:
To complete the pull request process, please ask the reviewers in the list to review by filling The full list of commands accepted by this bot can be found here. Reviewer can indicate their review by submitting an approval review. |
/run-all-tests |
@dveeden you're already a collaborator in bot's repo. |
@dveeden: Thanks for your review. The bot only counts approvals from reviewers and higher roles in list, but you're still welcome to leave your comments. In response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the ti-community-infra/tichi repository. |
/run-all-tests |
/assign @morgo |
/merge |
This pull request has been accepted and is ready to merge. Commit hash: ce11d54
|
cherry-pick #27690 to release-5.2
You can switch your code base to this Pull Request by using git-extras:
# In tidb repo: git pr https://github.com/pingcap/tidb/pull/27859
After apply modifications, you can push your change to this PR via:
What problem does this PR solve?
Problem Summary:
Depending on the version of Go that is used, etc some insecure TLS ciphersuites are enabled.
This removes the following ciphersuites:
Note that https://docs.pingcap.com/tidb/stable/enable-tls-between-clients-and-servers didn't list these ciphersuites.
See also:
What is changed and how it works?
How it Works:
tls.CipherSuites()
only lists ciphersuite that haveInsecure=false
, but in some cases this includes 3DES based ciphersuites, and these are explicitly removed from the list before using it in thetls.Config
Check List
Tests
Side effects
This intentionally removes compatibility with 3DES ciphersuites. This is not expected to impact any users as this is not commonly used for MySQL connections.
Release note