Skip to content

config/v1: TLSSecurityProfile: Remove go's unsupported ciphers #2697

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
damdo wants to merge 2 commits into
base: master
Choose a base branch
from
Open

config/v1: TLSSecurityProfile: Remove go's unsupported ciphers #2697

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f7c6f4d
TLSSecurityProfile: Remove go's unsupported ciphers
damdo Feb 6, 2026
95307c5
make update
damdo Feb 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 34 additions & 18 deletions config/v1/types_tlssecurityprofile.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,27 +37,32 @@ type TLSSecurityProfile struct {
// - ECDHE-RSA-AES256-GCM-SHA384
// - ECDHE-ECDSA-CHACHA20-POLY1305
// - ECDHE-RSA-CHACHA20-POLY1305
// - DHE-RSA-AES128-GCM-SHA256
// - DHE-RSA-AES256-GCM-SHA384
// - DHE-RSA-CHACHA20-POLY1305
// - ECDHE-ECDSA-AES128-SHA256
// - ECDHE-RSA-AES128-SHA256
// - ECDHE-ECDSA-AES128-SHA
// - ECDHE-RSA-AES128-SHA
// - ECDHE-ECDSA-AES256-SHA384
// - ECDHE-RSA-AES256-SHA384
// - ECDHE-ECDSA-AES256-SHA
// - ECDHE-RSA-AES256-SHA
// - DHE-RSA-AES128-SHA256
// - DHE-RSA-AES256-SHA256
// - AES128-GCM-SHA256
// - AES256-GCM-SHA384
// - AES128-SHA256
// - AES256-SHA256
// - AES128-SHA
// - AES256-SHA
// - DES-CBC3-SHA
//
// // Ciphers not in this profile even though listed
// // in the Mozilla Server Side TLS configuration guidelines:
// // Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758)
// - DHE-RSA-AES128-GCM-SHA256
// - DHE-RSA-AES256-GCM-SHA384
// - DHE-RSA-CHACHA20-POLY1305
// - DHE-RSA-AES128-SHA256
// - DHE-RSA-AES256-SHA256
// // Go's crypto/tls does not support CBC mode ciphers (see https://github.com/golang/go/issues/26652)
// - ECDHE-ECDSA-AES256-SHA384
// - ECDHE-RSA-AES256-SHA384
// - AES256-SHA256
Comment on lines +53 to +64
Copy link

@coderabbitai coderabbitai bot Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

# First, let's locate and examine the file
find . -name "types_tlssecurityprofile.go" -type f

Repository: openshift/api

Length of output: 96

🏁 Script executed:

# Once we find it, let's look at the specific lines mentioned
# Lines 53-64 (Old profile) and 252-255 (also applies to)
# We'll get broader context to understand the profile structure
cat -n config/v1/types_tlssecurityprofile.go | sed -n '1,100p'

Repository: openshift/api

Length of output: 4697

🌐 Web query:

Go crypto/tls CBC cipher support all versions limitations

💡 Result:

Go crypto/tls CBC cipher suite support (by TLS version) and key limitations

1) TLS 1.3: No CBC at all

TLS 1.3 cipher suites in Go are AEAD-only (AES-GCM, ChaCha20-Poly1305) and cannot be configured via Config.CipherSuites. So CBC suites are never negotiated in TLS 1.3. [1], [2]

2) TLS 1.0–1.2: CBC is implemented, but with important caveats

Go implements multiple AES-CBC suites for TLS 1.0–1.2, including (examples): TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, etc. [3]

However:

  • CBC + SHA-256 (“CBC_SHA256”) suites are considered insecure in Go (no Lucky13 countermeasures) and are disabled by default. They appear under tls.InsecureCipherSuites(). [3], [2]
  • CBC + SHA-1 suites still exist (and are not in InsecureCipherSuites()), but CBC as a family is historically attack-prone (e.g., Lucky13-style side channels). Go’s mitigations are described as only partial/complex, and CBC suites are intended mainly for compatibility fallback. [2]

3) “Default enabled” vs “implemented” changes across Go versions

Even when CBC suites are implemented, whether they’re in the default set can change across Go releases:

  • Go’s docs note that defaults change over time; e.g. RSA key-exchange suites removed from defaults in Go 1.22 (re-add via GODEBUG=tlsrsakex=1) and 3DES removed from defaults in Go 1.23 (re-add via GODEBUG=tls3des=1). (3DES is CBC-mode and is also classified insecure.) [1], [3]

4) Configuring CBC in Go: what you can and can’t do

  • Config.CipherSuites only affects TLS 1.0–1.2; it does nothing for TLS 1.3. [1]
  • To “force” CBC you generally must also ensure you’re not negotiating TLS 1.3 (e.g., MaxVersion: tls.VersionTLS12), otherwise TLS 1.3 will avoid CBC entirely. [1]

5) Extra restriction: FIPS mode

In Go’s FIPS 140-3 mode, non-approved cipher suites/versions are “silently ignored” or rejected; this can further limit (or eliminate) CBC availability depending on the selected module and Go version. [1]

Sources: Go crypto/tls docs (Go 1.25.2) [1], Go blog on cipher suite ordering / CBC & Lucky13 notes [2], Go crypto/tls cipher suite source (lists secure vs insecure suites and supported versions) [3].

🏁 Script executed:

cat -n config/v1/types_tlssecurityprofile.go | sed -n '240,280p'

Repository: openshift/api

Length of output: 1776

🏁 Script executed:

# Also check if this pattern exists in intermediate profile comments
cat -n config/v1/types_tlssecurityprofile.go | sed -n '85,100p'

Repository: openshift/api

Length of output: 815

Clarify CBC support wording in both Old profile locations.

The Old profile still lists CBC SHA1 suites (AES128-SHA, AES256-SHA, DES-CBC3-SHA), so the comment "Go's crypto/tls does not support CBC mode ciphers" is overstated. The actual limitation applies only to the CBC SHA-256/384 suites listed below. Narrow the wording to match the specific ciphers excluded.

✏️ Suggested wording 
- //     // Go's crypto/tls does not support CBC mode ciphers (see https://github.com/golang/go/issues/26652)
+ //     // Go's crypto/tls does not support these CBC mode SHA-256/384 ciphers (see https://github.com/golang/go/issues/26652)

-           // Go's crypto/tls does not support CBC mode ciphers (see https://github.com/golang/go/issues/26652)
+           // Go's crypto/tls does not support these CBC mode SHA-256/384 ciphers (see https://github.com/golang/go/issues/26652)

Also applies to: 252-255

🤖 Prompt for AI Agents 
In `@config/v1/types_tlssecurityprofile.go` around lines 53 - 64, Update the
overstated comment that reads "Go's crypto/tls does not support CBC mode
ciphers" to specifically say that Go's crypto/tls lacks support for the CBC
SHA-256/384 suites (e.g., AES256-SHA256, ECDHE-*-AES256-SHA384) so it only
excludes those CBC SHA-256/384 ciphers rather than all CBC-mode ciphers; apply
this same clarified wording to both comment occurrences in the TLS profile
comment block (the blocks listing the excluded CBC SHA-256/384 suites alongside
the DHE exclusions) so the comment matches the actual excluded cipher list.

//
// +optional
// +nullable
Old *OldTLSProfile `json:"old,omitempty"`
Comment on lines 66 to 68
Copy link

@qodo-code-review qodo-code-review bot Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

1. old field missing optional docs 📘 Rule violation ✓ Correctness

• The Old *OldTLSProfile field has +optional and +nullable markers, but its comment only lists
  cipher details and does not explain what happens when the field is omitted or explicitly set to
  null.
• This makes the API behavior unclear to consumers and violates the requirement that field comments
  document the meaning/behavior of kubebuilder optionality markers.
Agent Prompt 
## Issue description
`TLSSecurityProfile` fields (e.g., `Old`) include kubebuilder optionality markers (`+optional`, `+nullable`) but their comments do not document what omitted or null values mean.

## Issue Context
PR Compliance ID 11 requires that any field with optionality/validation markers has comments explaining those markers’ meaning and behavior so the API is self-documenting.

## Fix Focus Areas
- config/v1/types_tlssecurityprofile.go[6-128]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Expand All @@ -81,6 +86,10 @@ type TLSSecurityProfile struct {
// - ECDHE-RSA-AES256-GCM-SHA384
// - ECDHE-ECDSA-CHACHA20-POLY1305
// - ECDHE-RSA-CHACHA20-POLY1305
//
// // Ciphers not in this profile even though listed
// // in the Mozilla Server Side TLS configuration guidelines:
// // Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758)
// - DHE-RSA-AES128-GCM-SHA256
// - DHE-RSA-AES256-GCM-SHA384
//
Expand Down Expand Up @@ -220,26 +229,30 @@ var TLSProfiles = map[TLSProfileType]*TLSProfileSpec{
"ECDHE-RSA-AES256-GCM-SHA384",
"ECDHE-ECDSA-CHACHA20-POLY1305",
"ECDHE-RSA-CHACHA20-POLY1305",
"DHE-RSA-AES128-GCM-SHA256",
"DHE-RSA-AES256-GCM-SHA384",
"DHE-RSA-CHACHA20-POLY1305",
"ECDHE-ECDSA-AES128-SHA256",
"ECDHE-RSA-AES128-SHA256",
"ECDHE-ECDSA-AES128-SHA",
"ECDHE-RSA-AES128-SHA",
"ECDHE-ECDSA-AES256-SHA384",
"ECDHE-RSA-AES256-SHA384",
"ECDHE-ECDSA-AES256-SHA",
"ECDHE-RSA-AES256-SHA",
"DHE-RSA-AES128-SHA256",
"DHE-RSA-AES256-SHA256",
"AES128-GCM-SHA256",
"AES256-GCM-SHA384",
"AES128-SHA256",
"AES256-SHA256",
"AES128-SHA",
"AES256-SHA",
"DES-CBC3-SHA",
// Ciphers not in this profile even though listed
// in the Mozilla Server Side TLS configuration guidelines:
// Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758)
// - DHE-RSA-AES128-GCM-SHA256
// - DHE-RSA-AES256-GCM-SHA384
// - DHE-RSA-CHACHA20-POLY1305
// - DHE-RSA-AES128-SHA256
// - DHE-RSA-AES256-SHA256
// Go's crypto/tls does not support CBC mode ciphers (see https://github.com/golang/go/issues/26652)
// - ECDHE-ECDSA-AES256-SHA384
// - ECDHE-RSA-AES256-SHA384
// - AES256-SHA256
},
MinTLSVersion: VersionTLS10,
},
Expand All @@ -254,8 +267,11 @@ var TLSProfiles = map[TLSProfileType]*TLSProfileSpec{
"ECDHE-RSA-AES256-GCM-SHA384",
"ECDHE-ECDSA-CHACHA20-POLY1305",
"ECDHE-RSA-CHACHA20-POLY1305",
"DHE-RSA-AES128-GCM-SHA256",
"DHE-RSA-AES256-GCM-SHA384",
// Ciphers not in this profile even though listed
// in the Mozilla Server Side TLS configuration guidelines:
// Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758)
// - DHE-RSA-AES128-GCM-SHA256
// - DHE-RSA-AES256-GCM-SHA384
},
MinTLSVersion: VersionTLS12,
},
Expand Down
25 changes: 17 additions & 8 deletions ...zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -360,6 +360,10 @@ spec:
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-ECDSA-CHACHA20-POLY1305
- ECDHE-RSA-CHACHA20-POLY1305

// Ciphers not in this profile even though listed
// in the Mozilla Server Side TLS configuration guidelines:
// Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758)
- DHE-RSA-AES128-GCM-SHA256
- DHE-RSA-AES256-GCM-SHA384
nullable: true
Expand Down Expand Up @@ -397,26 +401,31 @@ spec:
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-ECDSA-CHACHA20-POLY1305
- ECDHE-RSA-CHACHA20-POLY1305
- DHE-RSA-AES128-GCM-SHA256
- DHE-RSA-AES256-GCM-SHA384
- DHE-RSA-CHACHA20-POLY1305
- ECDHE-ECDSA-AES128-SHA256
- ECDHE-RSA-AES128-SHA256
- ECDHE-ECDSA-AES128-SHA
- ECDHE-RSA-AES128-SHA
- ECDHE-ECDSA-AES256-SHA384
- ECDHE-RSA-AES256-SHA384
- ECDHE-ECDSA-AES256-SHA
- ECDHE-RSA-AES256-SHA
- DHE-RSA-AES128-SHA256
- DHE-RSA-AES256-SHA256
- AES128-GCM-SHA256
- AES256-GCM-SHA384
- AES128-SHA256
- AES256-SHA256
- AES128-SHA
- AES256-SHA
- DES-CBC3-SHA

// Ciphers not in this profile even though listed
// in the Mozilla Server Side TLS configuration guidelines:
// Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758)
- DHE-RSA-AES128-GCM-SHA256
- DHE-RSA-AES256-GCM-SHA384
- DHE-RSA-CHACHA20-POLY1305
- DHE-RSA-AES128-SHA256
- DHE-RSA-AES256-SHA256
// Go's crypto/tls does not support CBC mode ciphers (see https://github.com/golang/go/issues/26652)
- ECDHE-ECDSA-AES256-SHA384
- ECDHE-RSA-AES256-SHA384
- AES256-SHA256
nullable: true
type: object
type:
Expand Down
25 changes: 17 additions & 8 deletions config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -291,6 +291,10 @@ spec:
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-ECDSA-CHACHA20-POLY1305
- ECDHE-RSA-CHACHA20-POLY1305

// Ciphers not in this profile even though listed
// in the Mozilla Server Side TLS configuration guidelines:
// Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758)
- DHE-RSA-AES128-GCM-SHA256
- DHE-RSA-AES256-GCM-SHA384
Comment on lines +295 to 299
Copy link

@qodo-code-review qodo-code-review bot Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

2. Invalid yaml doc snippets 🐞 Bug ✓ Correctness

• Multiple CRD/OpenAPI descriptions contain YAML configuration examples that now include // ...
  lines; // is not valid YAML comment syntax.
• Users/operators copying these examples into real YAML manifests will hit YAML parse errors (or end
  up with unintended config).
• Because these are generated artifacts, the issue propagates widely (config, operator,
  machineconfiguration, payload manifests, OpenAPI).
Agent Prompt 
### Issue description
CRD/OpenAPI `description` fields embed YAML examples that now contain `//` lines. These are not valid YAML comments, so users copying the example into manifests will get YAML parse errors.

### Issue Context
The problematic text is generated from Go doc comments in `config/v1/types_tlssecurityprofile.go` and then propagated to CRD manifests and OpenAPI/Swagger output.

### Fix Focus Areas
- config/v1/types_tlssecurityprofile.go[22-98]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

nullable: true
Expand Down Expand Up @@ -328,26 +332,31 @@ spec:
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-ECDSA-CHACHA20-POLY1305
- ECDHE-RSA-CHACHA20-POLY1305
- DHE-RSA-AES128-GCM-SHA256
- DHE-RSA-AES256-GCM-SHA384
- DHE-RSA-CHACHA20-POLY1305
- ECDHE-ECDSA-AES128-SHA256
- ECDHE-RSA-AES128-SHA256
- ECDHE-ECDSA-AES128-SHA
- ECDHE-RSA-AES128-SHA
- ECDHE-ECDSA-AES256-SHA384
- ECDHE-RSA-AES256-SHA384
- ECDHE-ECDSA-AES256-SHA
- ECDHE-RSA-AES256-SHA
- DHE-RSA-AES128-SHA256
- DHE-RSA-AES256-SHA256
- AES128-GCM-SHA256
- AES256-GCM-SHA384
- AES128-SHA256
- AES256-SHA256
- AES128-SHA
- AES256-SHA
- DES-CBC3-SHA

// Ciphers not in this profile even though listed
// in the Mozilla Server Side TLS configuration guidelines:
// Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758)
- DHE-RSA-AES128-GCM-SHA256
- DHE-RSA-AES256-GCM-SHA384
- DHE-RSA-CHACHA20-POLY1305
- DHE-RSA-AES128-SHA256
- DHE-RSA-AES256-SHA256
// Go's crypto/tls does not support CBC mode ciphers (see https://github.com/golang/go/issues/26652)
- ECDHE-ECDSA-AES256-SHA384
- ECDHE-RSA-AES256-SHA384
- AES256-SHA256
nullable: true
type: object
type:
Expand Down
25 changes: 17 additions & 8 deletions ...enerated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -360,6 +360,10 @@ spec:
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-ECDSA-CHACHA20-POLY1305
- ECDHE-RSA-CHACHA20-POLY1305

// Ciphers not in this profile even though listed
// in the Mozilla Server Side TLS configuration guidelines:
// Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758)
- DHE-RSA-AES128-GCM-SHA256
- DHE-RSA-AES256-GCM-SHA384
nullable: true
Expand Down Expand Up @@ -397,26 +401,31 @@ spec:
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-ECDSA-CHACHA20-POLY1305
- ECDHE-RSA-CHACHA20-POLY1305
- DHE-RSA-AES128-GCM-SHA256
- DHE-RSA-AES256-GCM-SHA384
- DHE-RSA-CHACHA20-POLY1305
- ECDHE-ECDSA-AES128-SHA256
- ECDHE-RSA-AES128-SHA256
- ECDHE-ECDSA-AES128-SHA
- ECDHE-RSA-AES128-SHA
- ECDHE-ECDSA-AES256-SHA384
- ECDHE-RSA-AES256-SHA384
- ECDHE-ECDSA-AES256-SHA
- ECDHE-RSA-AES256-SHA
- DHE-RSA-AES128-SHA256
- DHE-RSA-AES256-SHA256
- AES128-GCM-SHA256
- AES256-GCM-SHA384
- AES128-SHA256
- AES256-SHA256
- AES128-SHA
- AES256-SHA
- DES-CBC3-SHA

// Ciphers not in this profile even though listed
// in the Mozilla Server Side TLS configuration guidelines:
// Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758)
- DHE-RSA-AES128-GCM-SHA256
- DHE-RSA-AES256-GCM-SHA384
- DHE-RSA-CHACHA20-POLY1305
- DHE-RSA-AES128-SHA256
- DHE-RSA-AES256-SHA256
// Go's crypto/tls does not support CBC mode ciphers (see https://github.com/golang/go/issues/26652)
- ECDHE-ECDSA-AES256-SHA384
- ECDHE-RSA-AES256-SHA384
- AES256-SHA256
nullable: true
type: object
type:
Expand Down
25 changes: 17 additions & 8 deletions config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-OKD.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -291,6 +291,10 @@ spec:
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-ECDSA-CHACHA20-POLY1305
- ECDHE-RSA-CHACHA20-POLY1305

// Ciphers not in this profile even though listed
// in the Mozilla Server Side TLS configuration guidelines:
// Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758)
- DHE-RSA-AES128-GCM-SHA256
- DHE-RSA-AES256-GCM-SHA384
nullable: true
Expand Down Expand Up @@ -328,26 +332,31 @@ spec:
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-ECDSA-CHACHA20-POLY1305
- ECDHE-RSA-CHACHA20-POLY1305
- DHE-RSA-AES128-GCM-SHA256
- DHE-RSA-AES256-GCM-SHA384
- DHE-RSA-CHACHA20-POLY1305
- ECDHE-ECDSA-AES128-SHA256
- ECDHE-RSA-AES128-SHA256
- ECDHE-ECDSA-AES128-SHA
- ECDHE-RSA-AES128-SHA
- ECDHE-ECDSA-AES256-SHA384
- ECDHE-RSA-AES256-SHA384
- ECDHE-ECDSA-AES256-SHA
- ECDHE-RSA-AES256-SHA
- DHE-RSA-AES128-SHA256
- DHE-RSA-AES256-SHA256
- AES128-GCM-SHA256
- AES256-GCM-SHA384
- AES128-SHA256
- AES256-SHA256
- AES128-SHA
- AES256-SHA
- DES-CBC3-SHA

// Ciphers not in this profile even though listed
// in the Mozilla Server Side TLS configuration guidelines:
// Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758)
- DHE-RSA-AES128-GCM-SHA256
- DHE-RSA-AES256-GCM-SHA384
- DHE-RSA-CHACHA20-POLY1305
- DHE-RSA-AES128-SHA256
- DHE-RSA-AES256-SHA256
// Go's crypto/tls does not support CBC mode ciphers (see https://github.com/golang/go/issues/26652)
- ECDHE-ECDSA-AES256-SHA384
- ECDHE-RSA-AES256-SHA384
- AES256-SHA256
nullable: true
type: object
type:
Expand Down
25 changes: 17 additions & 8 deletions ...nerated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -292,6 +292,10 @@ spec:
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-ECDSA-CHACHA20-POLY1305
- ECDHE-RSA-CHACHA20-POLY1305

// Ciphers not in this profile even though listed
// in the Mozilla Server Side TLS configuration guidelines:
// Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758)
- DHE-RSA-AES128-GCM-SHA256
- DHE-RSA-AES256-GCM-SHA384
nullable: true
Expand Down Expand Up @@ -329,26 +333,31 @@ spec:
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-ECDSA-CHACHA20-POLY1305
- ECDHE-RSA-CHACHA20-POLY1305
- DHE-RSA-AES128-GCM-SHA256
- DHE-RSA-AES256-GCM-SHA384
- DHE-RSA-CHACHA20-POLY1305
- ECDHE-ECDSA-AES128-SHA256
- ECDHE-RSA-AES128-SHA256
- ECDHE-ECDSA-AES128-SHA
- ECDHE-RSA-AES128-SHA
- ECDHE-ECDSA-AES256-SHA384
- ECDHE-RSA-AES256-SHA384
- ECDHE-ECDSA-AES256-SHA
- ECDHE-RSA-AES256-SHA
- DHE-RSA-AES128-SHA256
- DHE-RSA-AES256-SHA256
- AES128-GCM-SHA256
- AES256-GCM-SHA384
- AES128-SHA256
- AES256-SHA256
- AES128-SHA
- AES256-SHA
- DES-CBC3-SHA

// Ciphers not in this profile even though listed
// in the Mozilla Server Side TLS configuration guidelines:
// Go's crypto/tls does not support DHE ciphers (see https://github.com/golang/go/issues/7758)
- DHE-RSA-AES128-GCM-SHA256
- DHE-RSA-AES256-GCM-SHA384
- DHE-RSA-CHACHA20-POLY1305
- DHE-RSA-AES128-SHA256
- DHE-RSA-AES256-SHA256
// Go's crypto/tls does not support CBC mode ciphers (see https://github.com/golang/go/issues/26652)
- ECDHE-ECDSA-AES256-SHA384
- ECDHE-RSA-AES256-SHA384
- AES256-SHA256
nullable: true
type: object
type:
Expand Down
Loading