diff --git a/config/v1/types_tlssecurityprofile.go b/config/v1/types_tlssecurityprofile.go index 1e5189796e4..e20c8c14e88 100644 --- a/config/v1/types_tlssecurityprofile.go +++ b/config/v1/types_tlssecurityprofile.go @@ -37,27 +37,32 @@ type TLSSecurityProfile struct { // - ECDHE-RSA-AES256-GCM-SHA384 // - ECDHE-ECDSA-CHACHA20-POLY1305 // - ECDHE-RSA-CHACHA20-POLY1305 - // - DHE-RSA-AES128-GCM-SHA256 - // - DHE-RSA-AES256-GCM-SHA384 - // - DHE-RSA-CHACHA20-POLY1305 // - ECDHE-ECDSA-AES128-SHA256 // - ECDHE-RSA-AES128-SHA256 // - ECDHE-ECDSA-AES128-SHA // - ECDHE-RSA-AES128-SHA - // - ECDHE-ECDSA-AES256-SHA384 - // - ECDHE-RSA-AES256-SHA384 // - ECDHE-ECDSA-AES256-SHA // - ECDHE-RSA-AES256-SHA - // - DHE-RSA-AES128-SHA256 - // - DHE-RSA-AES256-SHA256 // - AES128-GCM-SHA256 // - AES256-GCM-SHA384 // - AES128-SHA256 - // - AES256-SHA256 // - AES128-SHA // - AES256-SHA // - DES-CBC3-SHA // + // // Ciphers not in this profile even though listed + // // in the Mozilla Server Side TLS configuration guidelines: + // // Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758) + // - DHE-RSA-AES128-GCM-SHA256 + // - DHE-RSA-AES256-GCM-SHA384 + // - DHE-RSA-CHACHA20-POLY1305 + // - DHE-RSA-AES128-SHA256 + // - DHE-RSA-AES256-SHA256 + // // Go's crypto/tls does not support CBC mode ciphers (see https://github.com/golang/go/issues/26652) + // - ECDHE-ECDSA-AES256-SHA384 + // - ECDHE-RSA-AES256-SHA384 + // - AES256-SHA256 + // // +optional // +nullable Old *OldTLSProfile `json:"old,omitempty"` @@ -81,6 +86,10 @@ type TLSSecurityProfile struct { // - ECDHE-RSA-AES256-GCM-SHA384 // - ECDHE-ECDSA-CHACHA20-POLY1305 // - ECDHE-RSA-CHACHA20-POLY1305 + // + // // Ciphers not in this profile even though listed + // // in the Mozilla Server Side TLS configuration guidelines: + // // Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758) // - DHE-RSA-AES128-GCM-SHA256 // - DHE-RSA-AES256-GCM-SHA384 // @@ -220,26 +229,30 @@ var TLSProfiles = map[TLSProfileType]*TLSProfileSpec{ "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-RSA-CHACHA20-POLY1305", - "DHE-RSA-AES128-GCM-SHA256", - "DHE-RSA-AES256-GCM-SHA384", - "DHE-RSA-CHACHA20-POLY1305", "ECDHE-ECDSA-AES128-SHA256", "ECDHE-RSA-AES128-SHA256", "ECDHE-ECDSA-AES128-SHA", "ECDHE-RSA-AES128-SHA", - "ECDHE-ECDSA-AES256-SHA384", - "ECDHE-RSA-AES256-SHA384", "ECDHE-ECDSA-AES256-SHA", "ECDHE-RSA-AES256-SHA", - "DHE-RSA-AES128-SHA256", - "DHE-RSA-AES256-SHA256", "AES128-GCM-SHA256", "AES256-GCM-SHA384", "AES128-SHA256", - "AES256-SHA256", "AES128-SHA", "AES256-SHA", "DES-CBC3-SHA", + // Ciphers not in this profile even though listed + // in the Mozilla Server Side TLS configuration guidelines: + // Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758) + // - DHE-RSA-AES128-GCM-SHA256 + // - DHE-RSA-AES256-GCM-SHA384 + // - DHE-RSA-CHACHA20-POLY1305 + // - DHE-RSA-AES128-SHA256 + // - DHE-RSA-AES256-SHA256 + // Go's crypto/tls does not support CBC mode ciphers (see https://github.com/golang/go/issues/26652) + // - ECDHE-ECDSA-AES256-SHA384 + // - ECDHE-RSA-AES256-SHA384 + // - AES256-SHA256 }, MinTLSVersion: VersionTLS10, }, @@ -254,8 +267,11 @@ var TLSProfiles = map[TLSProfileType]*TLSProfileSpec{ "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-RSA-CHACHA20-POLY1305", - "DHE-RSA-AES128-GCM-SHA256", - "DHE-RSA-AES256-GCM-SHA384", + // Ciphers not in this profile even though listed + // in the Mozilla Server Side TLS configuration guidelines: + // Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758) + // - DHE-RSA-AES128-GCM-SHA256 + // - DHE-RSA-AES256-GCM-SHA384 }, MinTLSVersion: VersionTLS12, }, diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml index 86a51460699..f92e9efa06c 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml @@ -360,6 +360,10 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + + // Ciphers not in this profile even though listed + // in the Mozilla Server Side TLS configuration guidelines: + // Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758) - DHE-RSA-AES128-GCM-SHA256 - DHE-RSA-AES256-GCM-SHA384 nullable: true @@ -397,26 +401,31 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA + + // Ciphers not in this profile even though listed + // in the Mozilla Server Side TLS configuration guidelines: + // Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758) + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 + // Go's crypto/tls does not support CBC mode ciphers (see https://github.com/golang/go/issues/26652) + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 + - AES256-SHA256 nullable: true type: object type: diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml index 50548951789..fbafc70e721 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml @@ -291,6 +291,10 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + + // Ciphers not in this profile even though listed + // in the Mozilla Server Side TLS configuration guidelines: + // Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758) - DHE-RSA-AES128-GCM-SHA256 - DHE-RSA-AES256-GCM-SHA384 nullable: true @@ -328,26 +332,31 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA + + // Ciphers not in this profile even though listed + // in the Mozilla Server Side TLS configuration guidelines: + // Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758) + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 + // Go's crypto/tls does not support CBC mode ciphers (see https://github.com/golang/go/issues/26652) + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 + - AES256-SHA256 nullable: true type: object type: diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml index f4dec273978..4723ac6cd5c 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml @@ -360,6 +360,10 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + + // Ciphers not in this profile even though listed + // in the Mozilla Server Side TLS configuration guidelines: + // Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758) - DHE-RSA-AES128-GCM-SHA256 - DHE-RSA-AES256-GCM-SHA384 nullable: true @@ -397,26 +401,31 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA + + // Ciphers not in this profile even though listed + // in the Mozilla Server Side TLS configuration guidelines: + // Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758) + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 + // Go's crypto/tls does not support CBC mode ciphers (see https://github.com/golang/go/issues/26652) + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 + - AES256-SHA256 nullable: true type: object type: diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-OKD.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-OKD.crd.yaml index 3809b7864c6..2afd10156f8 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-OKD.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-OKD.crd.yaml @@ -291,6 +291,10 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + + // Ciphers not in this profile even though listed + // in the Mozilla Server Side TLS configuration guidelines: + // Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758) - DHE-RSA-AES128-GCM-SHA256 - DHE-RSA-AES256-GCM-SHA384 nullable: true @@ -328,26 +332,31 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA + + // Ciphers not in this profile even though listed + // in the Mozilla Server Side TLS configuration guidelines: + // Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758) + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 + // Go's crypto/tls does not support CBC mode ciphers (see https://github.com/golang/go/issues/26652) + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 + - AES256-SHA256 nullable: true type: object type: diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml index d436a75b809..ca1ddc33498 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml @@ -292,6 +292,10 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + + // Ciphers not in this profile even though listed + // in the Mozilla Server Side TLS configuration guidelines: + // Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758) - DHE-RSA-AES128-GCM-SHA256 - DHE-RSA-AES256-GCM-SHA384 nullable: true @@ -329,26 +333,31 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA + + // Ciphers not in this profile even though listed + // in the Mozilla Server Side TLS configuration guidelines: + // Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758) + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 + // Go's crypto/tls does not support CBC mode ciphers (see https://github.com/golang/go/issues/26652) + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 + - AES256-SHA256 nullable: true type: object type: diff --git a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/AAA_ungated.yaml b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/AAA_ungated.yaml index a79680a164b..c8d340402dc 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/AAA_ungated.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/AAA_ungated.yaml @@ -291,6 +291,10 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + + // Ciphers not in this profile even though listed + // in the Mozilla Server Side TLS configuration guidelines: + // Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758) - DHE-RSA-AES128-GCM-SHA256 - DHE-RSA-AES256-GCM-SHA384 nullable: true @@ -328,26 +332,31 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA + + // Ciphers not in this profile even though listed + // in the Mozilla Server Side TLS configuration guidelines: + // Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758) + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 + // Go's crypto/tls does not support CBC mode ciphers (see https://github.com/golang/go/issues/26652) + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 + - AES256-SHA256 nullable: true type: object type: diff --git a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml index 7bcfb4e0c52..b31e18be8df 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml @@ -292,6 +292,10 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + + // Ciphers not in this profile even though listed + // in the Mozilla Server Side TLS configuration guidelines: + // Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758) - DHE-RSA-AES128-GCM-SHA256 - DHE-RSA-AES256-GCM-SHA384 nullable: true @@ -329,26 +333,31 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA + + // Ciphers not in this profile even though listed + // in the Mozilla Server Side TLS configuration guidelines: + // Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758) + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 + // Go's crypto/tls does not support CBC mode ciphers (see https://github.com/golang/go/issues/26652) + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 + - AES256-SHA256 nullable: true type: object type: diff --git a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml index a5725c96a88..e75bc0e9ea6 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml @@ -360,6 +360,10 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + + // Ciphers not in this profile even though listed + // in the Mozilla Server Side TLS configuration guidelines: + // Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758) - DHE-RSA-AES128-GCM-SHA256 - DHE-RSA-AES256-GCM-SHA384 nullable: true @@ -397,26 +401,31 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA + + // Ciphers not in this profile even though listed + // in the Mozilla Server Side TLS configuration guidelines: + // Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758) + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 + // Go's crypto/tls does not support CBC mode ciphers (see https://github.com/golang/go/issues/26652) + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 + - AES256-SHA256 nullable: true type: object type: diff --git a/config/v1/zz_generated.swagger_doc_generated.go b/config/v1/zz_generated.swagger_doc_generated.go index 7f0018950a9..3c9eedb82c3 100644 --- a/config/v1/zz_generated.swagger_doc_generated.go +++ b/config/v1/zz_generated.swagger_doc_generated.go @@ -3015,8 +3015,8 @@ func (TLSProfileSpec) SwaggerDoc() map[string]string { var map_TLSSecurityProfile = map[string]string{ "": "TLSSecurityProfile defines the schema for a TLS security profile. This object is used by operators to apply TLS security settings to operands.", "type": "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters.\n\nThe profiles are currently based on version 5.0 of the Mozilla Server Side TLS configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced.", - "old": "old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort.\n\nThe cipher list includes TLS 1.3 ciphers for forward compatibility, followed by the \"old\" profile ciphers.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS10\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384\n - DHE-RSA-CHACHA20-POLY1305\n - ECDHE-ECDSA-AES128-SHA256\n - ECDHE-RSA-AES128-SHA256\n - ECDHE-ECDSA-AES128-SHA\n - ECDHE-RSA-AES128-SHA\n - ECDHE-ECDSA-AES256-SHA384\n - ECDHE-RSA-AES256-SHA384\n - ECDHE-ECDSA-AES256-SHA\n - ECDHE-RSA-AES256-SHA\n - DHE-RSA-AES128-SHA256\n - DHE-RSA-AES256-SHA256\n - AES128-GCM-SHA256\n - AES256-GCM-SHA384\n - AES128-SHA256\n - AES256-SHA256\n - AES128-SHA\n - AES256-SHA\n - DES-CBC3-SHA", - "intermediate": "intermediate is a TLS profile for use when you do not need compatibility with legacy clients and want to remain highly secure while being compatible with most clients currently in use.\n\nThe cipher list includes TLS 1.3 ciphers for forward compatibility, followed by the \"intermediate\" profile ciphers.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS12\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384", + "old": "old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort.\n\nThe cipher list includes TLS 1.3 ciphers for forward compatibility, followed by the \"old\" profile ciphers.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS10\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - ECDHE-ECDSA-AES128-SHA256\n - ECDHE-RSA-AES128-SHA256\n - ECDHE-ECDSA-AES128-SHA\n - ECDHE-RSA-AES128-SHA\n - ECDHE-ECDSA-AES256-SHA\n - ECDHE-RSA-AES256-SHA\n - AES128-GCM-SHA256\n - AES256-GCM-SHA384\n - AES128-SHA256\n - AES128-SHA\n - AES256-SHA\n - DES-CBC3-SHA\n\n // Ciphers not in this profile even though listed\n // in the Mozilla Server Side TLS configuration guidelines:\n // Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758)\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384\n - DHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-SHA256\n - DHE-RSA-AES256-SHA256\n // Go's crypto/tls does not support CBC mode ciphers (see https://github.com/golang/go/issues/26652)\n - ECDHE-ECDSA-AES256-SHA384\n - ECDHE-RSA-AES256-SHA384\n - AES256-SHA256", + "intermediate": "intermediate is a TLS profile for use when you do not need compatibility with legacy clients and want to remain highly secure while being compatible with most clients currently in use.\n\nThe cipher list includes TLS 1.3 ciphers for forward compatibility, followed by the \"intermediate\" profile ciphers.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS12\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n\n // Ciphers not in this profile even though listed\n // in the Mozilla Server Side TLS configuration guidelines:\n // Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758)\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384", "modern": "modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS13\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256", "custom": "custom is a user-defined TLS security profile. Be extremely careful using a custom profile as invalid configurations can be catastrophic. An example custom profile looks like this:\n\n minTLSVersion: VersionTLS11\n ciphers:\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256", } diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs.crd.yaml index 5d68283c596..6fa585d67b0 100644 --- a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs.crd.yaml +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs.crd.yaml @@ -174,6 +174,10 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + + // Ciphers not in this profile even though listed + // in the Mozilla Server Side TLS configuration guidelines: + // Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758) - DHE-RSA-AES128-GCM-SHA256 - DHE-RSA-AES256-GCM-SHA384 nullable: true @@ -211,26 +215,31 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA + + // Ciphers not in this profile even though listed + // in the Mozilla Server Side TLS configuration guidelines: + // Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758) + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 + // Go's crypto/tls does not support CBC mode ciphers (see https://github.com/golang/go/issues/26652) + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 + - AES256-SHA256 nullable: true type: object type: diff --git a/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/kubeletconfigs.machineconfiguration.openshift.io/AAA_ungated.yaml b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/kubeletconfigs.machineconfiguration.openshift.io/AAA_ungated.yaml index 1c527d3c9f8..17ceced0391 100644 --- a/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/kubeletconfigs.machineconfiguration.openshift.io/AAA_ungated.yaml +++ b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/kubeletconfigs.machineconfiguration.openshift.io/AAA_ungated.yaml @@ -175,6 +175,10 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + + // Ciphers not in this profile even though listed + // in the Mozilla Server Side TLS configuration guidelines: + // Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758) - DHE-RSA-AES128-GCM-SHA256 - DHE-RSA-AES256-GCM-SHA384 nullable: true @@ -212,26 +216,31 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA + + // Ciphers not in this profile even though listed + // in the Mozilla Server Side TLS configuration guidelines: + // Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758) + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 + // Go's crypto/tls does not support CBC mode ciphers (see https://github.com/golang/go/issues/26652) + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 + - AES256-SHA256 nullable: true type: object type: diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index b3a94e903fb..5e9aac96ab6 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -20928,13 +20928,13 @@ func schema_openshift_api_config_v1_TLSSecurityProfile(ref common.ReferenceCallb }, "old": { SchemaProps: spec.SchemaProps{ - Description: "old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort.\n\nThe cipher list includes TLS 1.3 ciphers for forward compatibility, followed by the \"old\" profile ciphers.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS10\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384\n - DHE-RSA-CHACHA20-POLY1305\n - ECDHE-ECDSA-AES128-SHA256\n - ECDHE-RSA-AES128-SHA256\n - ECDHE-ECDSA-AES128-SHA\n - ECDHE-RSA-AES128-SHA\n - ECDHE-ECDSA-AES256-SHA384\n - ECDHE-RSA-AES256-SHA384\n - ECDHE-ECDSA-AES256-SHA\n - ECDHE-RSA-AES256-SHA\n - DHE-RSA-AES128-SHA256\n - DHE-RSA-AES256-SHA256\n - AES128-GCM-SHA256\n - AES256-GCM-SHA384\n - AES128-SHA256\n - AES256-SHA256\n - AES128-SHA\n - AES256-SHA\n - DES-CBC3-SHA", + Description: "old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort.\n\nThe cipher list includes TLS 1.3 ciphers for forward compatibility, followed by the \"old\" profile ciphers.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS10\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - ECDHE-ECDSA-AES128-SHA256\n - ECDHE-RSA-AES128-SHA256\n - ECDHE-ECDSA-AES128-SHA\n - ECDHE-RSA-AES128-SHA\n - ECDHE-ECDSA-AES256-SHA\n - ECDHE-RSA-AES256-SHA\n - AES128-GCM-SHA256\n - AES256-GCM-SHA384\n - AES128-SHA256\n - AES128-SHA\n - AES256-SHA\n - DES-CBC3-SHA\n\n // Ciphers not in this profile even though listed\n // in the Mozilla Server Side TLS configuration guidelines:\n // Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758)\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384\n - DHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-SHA256\n - DHE-RSA-AES256-SHA256\n // Go's crypto/tls does not support CBC mode ciphers (see https://github.com/golang/go/issues/26652)\n - ECDHE-ECDSA-AES256-SHA384\n - ECDHE-RSA-AES256-SHA384\n - AES256-SHA256", Ref: ref("github.com/openshift/api/config/v1.OldTLSProfile"), }, }, "intermediate": { SchemaProps: spec.SchemaProps{ - Description: "intermediate is a TLS profile for use when you do not need compatibility with legacy clients and want to remain highly secure while being compatible with most clients currently in use.\n\nThe cipher list includes TLS 1.3 ciphers for forward compatibility, followed by the \"intermediate\" profile ciphers.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS12\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384", + Description: "intermediate is a TLS profile for use when you do not need compatibility with legacy clients and want to remain highly secure while being compatible with most clients currently in use.\n\nThe cipher list includes TLS 1.3 ciphers for forward compatibility, followed by the \"intermediate\" profile ciphers.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS12\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n\n // Ciphers not in this profile even though listed\n // in the Mozilla Server Side TLS configuration guidelines:\n // Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758)\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384", Ref: ref("github.com/openshift/api/config/v1.IntermediateTLSProfile"), }, }, diff --git a/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers.crd.yaml index fa03ef576c8..cb97e7e579c 100644 --- a/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers.crd.yaml +++ b/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers.crd.yaml @@ -2049,6 +2049,10 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + + // Ciphers not in this profile even though listed + // in the Mozilla Server Side TLS configuration guidelines: + // Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758) - DHE-RSA-AES128-GCM-SHA256 - DHE-RSA-AES256-GCM-SHA384 nullable: true @@ -2086,26 +2090,31 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA + + // Ciphers not in this profile even though listed + // in the Mozilla Server Side TLS configuration guidelines: + // Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758) + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 + // Go's crypto/tls does not support CBC mode ciphers (see https://github.com/golang/go/issues/26652) + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 + - AES256-SHA256 nullable: true type: object type: diff --git a/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml b/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml index 78744d6cb00..549e1a354aa 100644 --- a/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml +++ b/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml @@ -2043,6 +2043,10 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + + // Ciphers not in this profile even though listed + // in the Mozilla Server Side TLS configuration guidelines: + // Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758) - DHE-RSA-AES128-GCM-SHA256 - DHE-RSA-AES256-GCM-SHA384 nullable: true @@ -2080,26 +2084,31 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA + + // Ciphers not in this profile even though listed + // in the Mozilla Server Side TLS configuration guidelines: + // Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758) + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 + // Go's crypto/tls does not support CBC mode ciphers (see https://github.com/golang/go/issues/26652) + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 + - AES256-SHA256 nullable: true type: object type: diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml index 86a51460699..f92e9efa06c 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml @@ -360,6 +360,10 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + + // Ciphers not in this profile even though listed + // in the Mozilla Server Side TLS configuration guidelines: + // Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758) - DHE-RSA-AES128-GCM-SHA256 - DHE-RSA-AES256-GCM-SHA384 nullable: true @@ -397,26 +401,31 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA + + // Ciphers not in this profile even though listed + // in the Mozilla Server Side TLS configuration guidelines: + // Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758) + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 + // Go's crypto/tls does not support CBC mode ciphers (see https://github.com/golang/go/issues/26652) + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 + - AES256-SHA256 nullable: true type: object type: diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-Default.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-Default.crd.yaml index 50548951789..fbafc70e721 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-Default.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-Default.crd.yaml @@ -291,6 +291,10 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + + // Ciphers not in this profile even though listed + // in the Mozilla Server Side TLS configuration guidelines: + // Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758) - DHE-RSA-AES128-GCM-SHA256 - DHE-RSA-AES256-GCM-SHA384 nullable: true @@ -328,26 +332,31 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA + + // Ciphers not in this profile even though listed + // in the Mozilla Server Side TLS configuration guidelines: + // Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758) + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 + // Go's crypto/tls does not support CBC mode ciphers (see https://github.com/golang/go/issues/26652) + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 + - AES256-SHA256 nullable: true type: object type: diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml index f4dec273978..4723ac6cd5c 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml @@ -360,6 +360,10 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + + // Ciphers not in this profile even though listed + // in the Mozilla Server Side TLS configuration guidelines: + // Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758) - DHE-RSA-AES128-GCM-SHA256 - DHE-RSA-AES256-GCM-SHA384 nullable: true @@ -397,26 +401,31 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA + + // Ciphers not in this profile even though listed + // in the Mozilla Server Side TLS configuration guidelines: + // Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758) + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 + // Go's crypto/tls does not support CBC mode ciphers (see https://github.com/golang/go/issues/26652) + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 + - AES256-SHA256 nullable: true type: object type: diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-OKD.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-OKD.crd.yaml index 3809b7864c6..2afd10156f8 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-OKD.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-OKD.crd.yaml @@ -291,6 +291,10 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + + // Ciphers not in this profile even though listed + // in the Mozilla Server Side TLS configuration guidelines: + // Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758) - DHE-RSA-AES128-GCM-SHA256 - DHE-RSA-AES256-GCM-SHA384 nullable: true @@ -328,26 +332,31 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA + + // Ciphers not in this profile even though listed + // in the Mozilla Server Side TLS configuration guidelines: + // Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758) + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 + // Go's crypto/tls does not support CBC mode ciphers (see https://github.com/golang/go/issues/26652) + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 + - AES256-SHA256 nullable: true type: object type: diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml index d436a75b809..ca1ddc33498 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml @@ -292,6 +292,10 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + + // Ciphers not in this profile even though listed + // in the Mozilla Server Side TLS configuration guidelines: + // Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758) - DHE-RSA-AES128-GCM-SHA256 - DHE-RSA-AES256-GCM-SHA384 nullable: true @@ -329,26 +333,31 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA + + // Ciphers not in this profile even though listed + // in the Mozilla Server Side TLS configuration guidelines: + // Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758) + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 + // Go's crypto/tls does not support CBC mode ciphers (see https://github.com/golang/go/issues/26652) + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 + - AES256-SHA256 nullable: true type: object type: diff --git a/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs.crd.yaml b/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs.crd.yaml index 5d68283c596..6fa585d67b0 100644 --- a/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs.crd.yaml +++ b/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs.crd.yaml @@ -174,6 +174,10 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + + // Ciphers not in this profile even though listed + // in the Mozilla Server Side TLS configuration guidelines: + // Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758) - DHE-RSA-AES128-GCM-SHA256 - DHE-RSA-AES256-GCM-SHA384 nullable: true @@ -211,26 +215,31 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA + + // Ciphers not in this profile even though listed + // in the Mozilla Server Side TLS configuration guidelines: + // Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758) + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 + // Go's crypto/tls does not support CBC mode ciphers (see https://github.com/golang/go/issues/26652) + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 + - AES256-SHA256 nullable: true type: object type: