diff --git a/config/v1/types_tlssecurityprofile.go b/config/v1/types_tlssecurityprofile.go index b18ef647c2f..1e5189796e4 100644 --- a/config/v1/types_tlssecurityprofile.go +++ b/config/v1/types_tlssecurityprofile.go @@ -4,178 +4,130 @@ package v1 // is used by operators to apply TLS security settings to operands. // +union type TLSSecurityProfile struct { - // type is one of Old, Intermediate, Modern or Custom. Custom provides - // the ability to specify individual TLS security profile parameters. - // Old, Intermediate and Modern are TLS security profiles based on: + // type is one of Old, Intermediate, Modern or Custom. Custom provides the + // ability to specify individual TLS security profile parameters. // - // https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + // The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + // configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + // forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json // - // The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers - // are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be - // reduced. - // - // Note that the Modern profile is currently not supported because it is not - // yet well adopted by common software libraries. + // The profiles are intent based, so they may change over time as new ciphers are + // developed and existing ciphers are found to be insecure. Depending on + // precisely which ciphers are available to a process, the list may be reduced. // // +unionDiscriminator // +optional Type TLSProfileType `json:"type"` - // old is a TLS security profile based on: - // - // https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility + + // old is a TLS profile for use when services need to be accessed by very old + // clients or libraries and should be used only as a last resort. // - // and looks like this (yaml): + // The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + // by the "old" profile ciphers. // + // This profile is equivalent to a Custom profile specified as: + // minTLSVersion: VersionTLS10 // ciphers: - // // - TLS_AES_128_GCM_SHA256 - // // - TLS_AES_256_GCM_SHA384 - // // - TLS_CHACHA20_POLY1305_SHA256 - // // - ECDHE-ECDSA-AES128-GCM-SHA256 - // // - ECDHE-RSA-AES128-GCM-SHA256 - // // - ECDHE-ECDSA-AES256-GCM-SHA384 - // // - ECDHE-RSA-AES256-GCM-SHA384 - // // - ECDHE-ECDSA-CHACHA20-POLY1305 - // // - ECDHE-RSA-CHACHA20-POLY1305 - // // - DHE-RSA-AES128-GCM-SHA256 - // // - DHE-RSA-AES256-GCM-SHA384 - // // - DHE-RSA-CHACHA20-POLY1305 - // // - ECDHE-ECDSA-AES128-SHA256 - // // - ECDHE-RSA-AES128-SHA256 - // // - ECDHE-ECDSA-AES128-SHA - // // - ECDHE-RSA-AES128-SHA - // // - ECDHE-ECDSA-AES256-SHA384 - // // - ECDHE-RSA-AES256-SHA384 - // // - ECDHE-ECDSA-AES256-SHA - // // - ECDHE-RSA-AES256-SHA - // // - DHE-RSA-AES128-SHA256 - // // - DHE-RSA-AES256-SHA256 - // // - AES128-GCM-SHA256 - // // - AES256-GCM-SHA384 - // // - AES128-SHA256 - // // - AES256-SHA256 - // // - AES128-SHA - // // - AES256-SHA - // // - DES-CBC3-SHA // - // minTLSVersion: VersionTLS10 - // // +optional // +nullable Old *OldTLSProfile `json:"old,omitempty"` - // intermediate is a TLS security profile based on: - // - // https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 + + // intermediate is a TLS profile for use when you do not need compatibility with + // legacy clients and want to remain highly secure while being compatible with + // most clients currently in use. // - // and looks like this (yaml): + // The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + // by the "intermediate" profile ciphers. // + // This profile is equivalent to a Custom profile specified as: + // minTLSVersion: VersionTLS12 // ciphers: - // // - TLS_AES_128_GCM_SHA256 - // // - TLS_AES_256_GCM_SHA384 - // // - TLS_CHACHA20_POLY1305_SHA256 - // // - ECDHE-ECDSA-AES128-GCM-SHA256 - // // - ECDHE-RSA-AES128-GCM-SHA256 - // // - ECDHE-ECDSA-AES256-GCM-SHA384 - // // - ECDHE-RSA-AES256-GCM-SHA384 - // // - ECDHE-ECDSA-CHACHA20-POLY1305 - // // - ECDHE-RSA-CHACHA20-POLY1305 - // // - DHE-RSA-AES128-GCM-SHA256 - // // - DHE-RSA-AES256-GCM-SHA384 // - // minTLSVersion: VersionTLS12 - // // +optional // +nullable Intermediate *IntermediateTLSProfile `json:"intermediate,omitempty"` - // modern is a TLS security profile based on: - // - // https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility - // - // and looks like this (yaml): + + // modern is a TLS security profile for use with clients that support TLS 1.3 and + // do not need backward compatibility for older clients. // + // This profile is equivalent to a Custom profile specified as: + // minTLSVersion: VersionTLS13 // ciphers: - // // - TLS_AES_128_GCM_SHA256 - // // - TLS_AES_256_GCM_SHA384 - // // - TLS_CHACHA20_POLY1305_SHA256 // - // minTLSVersion: VersionTLS13 - // // +optional // +nullable Modern *ModernTLSProfile `json:"modern,omitempty"` + // custom is a user-defined TLS security profile. Be extremely careful using a custom // profile as invalid configurations can be catastrophic. An example custom profile // looks like this: // + // minTLSVersion: VersionTLS11 // ciphers: - // // - ECDHE-ECDSA-CHACHA20-POLY1305 - // // - ECDHE-RSA-CHACHA20-POLY1305 - // // - ECDHE-RSA-AES128-GCM-SHA256 - // // - ECDHE-ECDSA-AES128-GCM-SHA256 // - // minTLSVersion: VersionTLS11 - // // +optional // +nullable Custom *CustomTLSProfile `json:"custom,omitempty"` } -// OldTLSProfile is a TLS security profile based on: -// https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility +// OldTLSProfile is a TLS security profile based on the "old" configuration of +// the Mozilla Server Side TLS configuration guidelines. type OldTLSProfile struct{} -// IntermediateTLSProfile is a TLS security profile based on: -// https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29 +// IntermediateTLSProfile is a TLS security profile based on the "intermediate" +// configuration of the Mozilla Server Side TLS configuration guidelines. type IntermediateTLSProfile struct{} -// ModernTLSProfile is a TLS security profile based on: -// https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility +// ModernTLSProfile is a TLS security profile based on the "modern" configuration +// of the Mozilla Server Side TLS configuration guidelines. type ModernTLSProfile struct{} // CustomTLSProfile is a user-defined TLS security profile. Be extremely careful @@ -189,16 +141,19 @@ type CustomTLSProfile struct { type TLSProfileType string const ( - // Old is a TLS security profile based on: - // https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility + // TLSProfileOldType sets parameters based on the "old" configuration of + // the Mozilla Server Side TLS configuration guidelines. TLSProfileOldType TLSProfileType = "Old" - // Intermediate is a TLS security profile based on: - // https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29 + + // TLSProfileIntermediateType sets parameters based on the "intermediate" + // configuration of the Mozilla Server Side TLS configuration guidelines. TLSProfileIntermediateType TLSProfileType = "Intermediate" - // Modern is a TLS security profile based on: - // https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility + + // TLSProfileModernType sets parameters based on the "modern" configuration + // of the Mozilla Server Side TLS configuration guidelines. TLSProfileModernType TLSProfileType = "Modern" - // Custom is a TLS security profile that allows for user-defined parameters. + + // TLSProfileCustomType is a TLS security profile that allows for user-defined parameters. TLSProfileCustomType TLSProfileType = "Custom" ) @@ -219,8 +174,6 @@ type TLSProfileSpec struct { // // minTLSVersion: VersionTLS11 // - // NOTE: currently the highest minTLSVersion allowed is VersionTLS12 - // MinTLSVersion TLSProtocolVersion `json:"minTLSVersion"` } @@ -245,11 +198,16 @@ const ( VersionTLS13 TLSProtocolVersion = "VersionTLS13" ) -// TLSProfiles Contains a map of TLSProfileType names to TLSProfileSpec. +// TLSProfiles contains a map of TLSProfileType names to TLSProfileSpec. +// +// These profiles are based on version 5.0 of the Mozilla Server Side TLS +// configuration guidelines (2019-06-28) with TLS 1.3 cipher suites prepended for +// forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json // -// NOTE: The caller needs to make sure to check that these constants are valid for their binary. Not all -// entries map to values for all binaries. In the case of ties, the kube-apiserver wins. Do not fail, -// just be sure to whitelist only and everything will be ok. +// NOTE: The caller needs to make sure to check that these constants are valid +// for their binary. Not all entries map to values for all binaries. In the case +// of ties, the kube-apiserver wins. Do not fail, just be sure to include only +// valid entries and everything will be ok. var TLSProfiles = map[TLSProfileType]*TLSProfileSpec{ TLSProfileOldType: { Ciphers: []string{ diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml index f4416bf9b3c..86a51460699 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml @@ -305,17 +305,12 @@ spec: profile as invalid configurations can be catastrophic. An example custom profile looks like this: + minTLSVersion: VersionTLS11 ciphers: - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - minTLSVersion: VersionTLS11 nullable: true properties: ciphers: @@ -337,8 +332,6 @@ spec: versions 1.1, 1.2 and 1.3 (yaml): minTLSVersion: VersionTLS11 - - NOTE: currently the highest minTLSVersion allowed is VersionTLS12 enum: - VersionTLS10 - VersionTLS11 @@ -348,143 +341,96 @@ spec: type: object intermediate: description: |- - intermediate is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 + intermediate is a TLS profile for use when you do not need compatibility with + legacy clients and want to remain highly secure while being compatible with + most clients currently in use. - and looks like this (yaml): + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS12 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - minTLSVersion: VersionTLS12 nullable: true type: object modern: description: |- - modern is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility - - and looks like this (yaml): + modern is a TLS security profile for use with clients that support TLS 1.3 and + do not need backward compatibility for older clients. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS13 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - minTLSVersion: VersionTLS13 nullable: true type: object old: description: |- - old is a TLS security profile based on: + old is a TLS profile for use when services need to be accessed by very old + clients or libraries and should be used only as a last resort. - https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility - - and looks like this (yaml): + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS10 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - - ECDHE-ECDSA-AES128-SHA256 - - ECDHE-RSA-AES128-SHA256 - - ECDHE-ECDSA-AES128-SHA - - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - - ECDHE-ECDSA-AES256-SHA - - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - - AES128-GCM-SHA256 - - AES256-GCM-SHA384 - - AES128-SHA256 - - AES256-SHA256 - - AES128-SHA - - AES256-SHA - - DES-CBC3-SHA - - minTLSVersion: VersionTLS10 nullable: true type: object type: description: |- - type is one of Old, Intermediate, Modern or Custom. Custom provides - the ability to specify individual TLS security profile parameters. - Old, Intermediate and Modern are TLS security profiles based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + type is one of Old, Intermediate, Modern or Custom. Custom provides the + ability to specify individual TLS security profile parameters. - The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers - are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be - reduced. + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json - Note that the Modern profile is currently not supported because it is not - yet well adopted by common software libraries. + The profiles are intent based, so they may change over time as new ciphers are + developed and existing ciphers are found to be insecure. Depending on + precisely which ciphers are available to a process, the list may be reduced. enum: - Old - Intermediate diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml index 37662cb58d8..50548951789 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml @@ -236,17 +236,12 @@ spec: profile as invalid configurations can be catastrophic. An example custom profile looks like this: + minTLSVersion: VersionTLS11 ciphers: - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - minTLSVersion: VersionTLS11 nullable: true properties: ciphers: @@ -268,8 +263,6 @@ spec: versions 1.1, 1.2 and 1.3 (yaml): minTLSVersion: VersionTLS11 - - NOTE: currently the highest minTLSVersion allowed is VersionTLS12 enum: - VersionTLS10 - VersionTLS11 @@ -279,143 +272,96 @@ spec: type: object intermediate: description: |- - intermediate is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 + intermediate is a TLS profile for use when you do not need compatibility with + legacy clients and want to remain highly secure while being compatible with + most clients currently in use. - and looks like this (yaml): + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS12 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - minTLSVersion: VersionTLS12 nullable: true type: object modern: description: |- - modern is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility - - and looks like this (yaml): + modern is a TLS security profile for use with clients that support TLS 1.3 and + do not need backward compatibility for older clients. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS13 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - minTLSVersion: VersionTLS13 nullable: true type: object old: description: |- - old is a TLS security profile based on: + old is a TLS profile for use when services need to be accessed by very old + clients or libraries and should be used only as a last resort. - https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility - - and looks like this (yaml): + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS10 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - - ECDHE-ECDSA-AES128-SHA256 - - ECDHE-RSA-AES128-SHA256 - - ECDHE-ECDSA-AES128-SHA - - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - - ECDHE-ECDSA-AES256-SHA - - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - - AES128-GCM-SHA256 - - AES256-GCM-SHA384 - - AES128-SHA256 - - AES256-SHA256 - - AES128-SHA - - AES256-SHA - - DES-CBC3-SHA - - minTLSVersion: VersionTLS10 nullable: true type: object type: description: |- - type is one of Old, Intermediate, Modern or Custom. Custom provides - the ability to specify individual TLS security profile parameters. - Old, Intermediate and Modern are TLS security profiles based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + type is one of Old, Intermediate, Modern or Custom. Custom provides the + ability to specify individual TLS security profile parameters. - The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers - are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be - reduced. + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json - Note that the Modern profile is currently not supported because it is not - yet well adopted by common software libraries. + The profiles are intent based, so they may change over time as new ciphers are + developed and existing ciphers are found to be insecure. Depending on + precisely which ciphers are available to a process, the list may be reduced. enum: - Old - Intermediate diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml index bfeefa11f36..f4dec273978 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml @@ -305,17 +305,12 @@ spec: profile as invalid configurations can be catastrophic. An example custom profile looks like this: + minTLSVersion: VersionTLS11 ciphers: - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - minTLSVersion: VersionTLS11 nullable: true properties: ciphers: @@ -337,8 +332,6 @@ spec: versions 1.1, 1.2 and 1.3 (yaml): minTLSVersion: VersionTLS11 - - NOTE: currently the highest minTLSVersion allowed is VersionTLS12 enum: - VersionTLS10 - VersionTLS11 @@ -348,143 +341,96 @@ spec: type: object intermediate: description: |- - intermediate is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 + intermediate is a TLS profile for use when you do not need compatibility with + legacy clients and want to remain highly secure while being compatible with + most clients currently in use. - and looks like this (yaml): + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS12 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - minTLSVersion: VersionTLS12 nullable: true type: object modern: description: |- - modern is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility - - and looks like this (yaml): + modern is a TLS security profile for use with clients that support TLS 1.3 and + do not need backward compatibility for older clients. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS13 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - minTLSVersion: VersionTLS13 nullable: true type: object old: description: |- - old is a TLS security profile based on: + old is a TLS profile for use when services need to be accessed by very old + clients or libraries and should be used only as a last resort. - https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility - - and looks like this (yaml): + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS10 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - - ECDHE-ECDSA-AES128-SHA256 - - ECDHE-RSA-AES128-SHA256 - - ECDHE-ECDSA-AES128-SHA - - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - - ECDHE-ECDSA-AES256-SHA - - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - - AES128-GCM-SHA256 - - AES256-GCM-SHA384 - - AES128-SHA256 - - AES256-SHA256 - - AES128-SHA - - AES256-SHA - - DES-CBC3-SHA - - minTLSVersion: VersionTLS10 nullable: true type: object type: description: |- - type is one of Old, Intermediate, Modern or Custom. Custom provides - the ability to specify individual TLS security profile parameters. - Old, Intermediate and Modern are TLS security profiles based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + type is one of Old, Intermediate, Modern or Custom. Custom provides the + ability to specify individual TLS security profile parameters. - The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers - are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be - reduced. + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json - Note that the Modern profile is currently not supported because it is not - yet well adopted by common software libraries. + The profiles are intent based, so they may change over time as new ciphers are + developed and existing ciphers are found to be insecure. Depending on + precisely which ciphers are available to a process, the list may be reduced. enum: - Old - Intermediate diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml index a49976e0dfd..6206ad77a82 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml @@ -305,17 +305,12 @@ spec: profile as invalid configurations can be catastrophic. An example custom profile looks like this: + minTLSVersion: VersionTLS11 ciphers: - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - minTLSVersion: VersionTLS11 nullable: true properties: ciphers: @@ -337,8 +332,6 @@ spec: versions 1.1, 1.2 and 1.3 (yaml): minTLSVersion: VersionTLS11 - - NOTE: currently the highest minTLSVersion allowed is VersionTLS12 enum: - VersionTLS10 - VersionTLS11 @@ -348,143 +341,96 @@ spec: type: object intermediate: description: |- - intermediate is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 + intermediate is a TLS profile for use when you do not need compatibility with + legacy clients and want to remain highly secure while being compatible with + most clients currently in use. - and looks like this (yaml): + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS12 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - minTLSVersion: VersionTLS12 nullable: true type: object modern: description: |- - modern is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility - - and looks like this (yaml): + modern is a TLS security profile for use with clients that support TLS 1.3 and + do not need backward compatibility for older clients. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS13 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - minTLSVersion: VersionTLS13 nullable: true type: object old: description: |- - old is a TLS security profile based on: + old is a TLS profile for use when services need to be accessed by very old + clients or libraries and should be used only as a last resort. - https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility - - and looks like this (yaml): + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS10 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - - ECDHE-ECDSA-AES128-SHA256 - - ECDHE-RSA-AES128-SHA256 - - ECDHE-ECDSA-AES128-SHA - - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - - ECDHE-ECDSA-AES256-SHA - - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - - AES128-GCM-SHA256 - - AES256-GCM-SHA384 - - AES128-SHA256 - - AES256-SHA256 - - AES128-SHA - - AES256-SHA - - DES-CBC3-SHA - - minTLSVersion: VersionTLS10 nullable: true type: object type: description: |- - type is one of Old, Intermediate, Modern or Custom. Custom provides - the ability to specify individual TLS security profile parameters. - Old, Intermediate and Modern are TLS security profiles based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + type is one of Old, Intermediate, Modern or Custom. Custom provides the + ability to specify individual TLS security profile parameters. - The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers - are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be - reduced. + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json - Note that the Modern profile is currently not supported because it is not - yet well adopted by common software libraries. + The profiles are intent based, so they may change over time as new ciphers are + developed and existing ciphers are found to be insecure. Depending on + precisely which ciphers are available to a process, the list may be reduced. enum: - Old - Intermediate diff --git a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/AAA_ungated.yaml b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/AAA_ungated.yaml index 2fe53f839aa..a79680a164b 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/AAA_ungated.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/AAA_ungated.yaml @@ -236,17 +236,12 @@ spec: profile as invalid configurations can be catastrophic. An example custom profile looks like this: + minTLSVersion: VersionTLS11 ciphers: - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - minTLSVersion: VersionTLS11 nullable: true properties: ciphers: @@ -268,8 +263,6 @@ spec: versions 1.1, 1.2 and 1.3 (yaml): minTLSVersion: VersionTLS11 - - NOTE: currently the highest minTLSVersion allowed is VersionTLS12 enum: - VersionTLS10 - VersionTLS11 @@ -279,143 +272,96 @@ spec: type: object intermediate: description: |- - intermediate is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 + intermediate is a TLS profile for use when you do not need compatibility with + legacy clients and want to remain highly secure while being compatible with + most clients currently in use. - and looks like this (yaml): + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS12 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - minTLSVersion: VersionTLS12 nullable: true type: object modern: description: |- - modern is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility - - and looks like this (yaml): + modern is a TLS security profile for use with clients that support TLS 1.3 and + do not need backward compatibility for older clients. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS13 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - minTLSVersion: VersionTLS13 nullable: true type: object old: description: |- - old is a TLS security profile based on: + old is a TLS profile for use when services need to be accessed by very old + clients or libraries and should be used only as a last resort. - https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility - - and looks like this (yaml): + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS10 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - - ECDHE-ECDSA-AES128-SHA256 - - ECDHE-RSA-AES128-SHA256 - - ECDHE-ECDSA-AES128-SHA - - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - - ECDHE-ECDSA-AES256-SHA - - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - - AES128-GCM-SHA256 - - AES256-GCM-SHA384 - - AES128-SHA256 - - AES256-SHA256 - - AES128-SHA - - AES256-SHA - - DES-CBC3-SHA - - minTLSVersion: VersionTLS10 nullable: true type: object type: description: |- - type is one of Old, Intermediate, Modern or Custom. Custom provides - the ability to specify individual TLS security profile parameters. - Old, Intermediate and Modern are TLS security profiles based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + type is one of Old, Intermediate, Modern or Custom. Custom provides the + ability to specify individual TLS security profile parameters. - The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers - are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be - reduced. + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json - Note that the Modern profile is currently not supported because it is not - yet well adopted by common software libraries. + The profiles are intent based, so they may change over time as new ciphers are + developed and existing ciphers are found to be insecure. Depending on + precisely which ciphers are available to a process, the list may be reduced. enum: - Old - Intermediate diff --git a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml index a3919b9a489..a5725c96a88 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml @@ -305,17 +305,12 @@ spec: profile as invalid configurations can be catastrophic. An example custom profile looks like this: + minTLSVersion: VersionTLS11 ciphers: - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - minTLSVersion: VersionTLS11 nullable: true properties: ciphers: @@ -337,8 +332,6 @@ spec: versions 1.1, 1.2 and 1.3 (yaml): minTLSVersion: VersionTLS11 - - NOTE: currently the highest minTLSVersion allowed is VersionTLS12 enum: - VersionTLS10 - VersionTLS11 @@ -348,143 +341,96 @@ spec: type: object intermediate: description: |- - intermediate is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 + intermediate is a TLS profile for use when you do not need compatibility with + legacy clients and want to remain highly secure while being compatible with + most clients currently in use. - and looks like this (yaml): + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS12 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - minTLSVersion: VersionTLS12 nullable: true type: object modern: description: |- - modern is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility - - and looks like this (yaml): + modern is a TLS security profile for use with clients that support TLS 1.3 and + do not need backward compatibility for older clients. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS13 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - minTLSVersion: VersionTLS13 nullable: true type: object old: description: |- - old is a TLS security profile based on: + old is a TLS profile for use when services need to be accessed by very old + clients or libraries and should be used only as a last resort. - https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility - - and looks like this (yaml): + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS10 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - - ECDHE-ECDSA-AES128-SHA256 - - ECDHE-RSA-AES128-SHA256 - - ECDHE-ECDSA-AES128-SHA - - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - - ECDHE-ECDSA-AES256-SHA - - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - - AES128-GCM-SHA256 - - AES256-GCM-SHA384 - - AES128-SHA256 - - AES256-SHA256 - - AES128-SHA - - AES256-SHA - - DES-CBC3-SHA - - minTLSVersion: VersionTLS10 nullable: true type: object type: description: |- - type is one of Old, Intermediate, Modern or Custom. Custom provides - the ability to specify individual TLS security profile parameters. - Old, Intermediate and Modern are TLS security profiles based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + type is one of Old, Intermediate, Modern or Custom. Custom provides the + ability to specify individual TLS security profile parameters. - The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers - are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be - reduced. + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json - Note that the Modern profile is currently not supported because it is not - yet well adopted by common software libraries. + The profiles are intent based, so they may change over time as new ciphers are + developed and existing ciphers are found to be insecure. Depending on + precisely which ciphers are available to a process, the list may be reduced. enum: - Old - Intermediate diff --git a/config/v1/zz_generated.swagger_doc_generated.go b/config/v1/zz_generated.swagger_doc_generated.go index 778fed917c7..09ce48a4760 100644 --- a/config/v1/zz_generated.swagger_doc_generated.go +++ b/config/v1/zz_generated.swagger_doc_generated.go @@ -2845,7 +2845,7 @@ func (CustomTLSProfile) SwaggerDoc() map[string]string { } var map_IntermediateTLSProfile = map[string]string{ - "": "IntermediateTLSProfile is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29", + "": "IntermediateTLSProfile is a TLS security profile based on the \"intermediate\" configuration of the Mozilla Server Side TLS configuration guidelines.", } func (IntermediateTLSProfile) SwaggerDoc() map[string]string { @@ -2853,7 +2853,7 @@ func (IntermediateTLSProfile) SwaggerDoc() map[string]string { } var map_ModernTLSProfile = map[string]string{ - "": "ModernTLSProfile is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility", + "": "ModernTLSProfile is a TLS security profile based on the \"modern\" configuration of the Mozilla Server Side TLS configuration guidelines.", } func (ModernTLSProfile) SwaggerDoc() map[string]string { @@ -2861,7 +2861,7 @@ func (ModernTLSProfile) SwaggerDoc() map[string]string { } var map_OldTLSProfile = map[string]string{ - "": "OldTLSProfile is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility", + "": "OldTLSProfile is a TLS security profile based on the \"old\" configuration of the Mozilla Server Side TLS configuration guidelines.", } func (OldTLSProfile) SwaggerDoc() map[string]string { @@ -2871,7 +2871,7 @@ func (OldTLSProfile) SwaggerDoc() map[string]string { var map_TLSProfileSpec = map[string]string{ "": "TLSProfileSpec is the desired behavior of a TLSSecurityProfile.", "ciphers": "ciphers is used to specify the cipher algorithms that are negotiated during the TLS handshake. Operators may remove entries their operands do not support. For example, to use DES-CBC3-SHA (yaml):\n\n ciphers:\n - DES-CBC3-SHA", - "minTLSVersion": "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n minTLSVersion: VersionTLS11\n\nNOTE: currently the highest minTLSVersion allowed is VersionTLS12", + "minTLSVersion": "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n minTLSVersion: VersionTLS11", } func (TLSProfileSpec) SwaggerDoc() map[string]string { @@ -2880,11 +2880,11 @@ func (TLSProfileSpec) SwaggerDoc() map[string]string { var map_TLSSecurityProfile = map[string]string{ "": "TLSSecurityProfile defines the schema for a TLS security profile. This object is used by operators to apply TLS security settings to operands.", - "type": "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. Old, Intermediate and Modern are TLS security profiles based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced.\n\nNote that the Modern profile is currently not supported because it is not yet well adopted by common software libraries.", - "old": "old is a TLS security profile based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility\n\nand looks like this (yaml):\n\n ciphers:\n\n - TLS_AES_128_GCM_SHA256\n\n - TLS_AES_256_GCM_SHA384\n\n - TLS_CHACHA20_POLY1305_SHA256\n\n - ECDHE-ECDSA-AES128-GCM-SHA256\n\n - ECDHE-RSA-AES128-GCM-SHA256\n\n - ECDHE-ECDSA-AES256-GCM-SHA384\n\n - ECDHE-RSA-AES256-GCM-SHA384\n\n - ECDHE-ECDSA-CHACHA20-POLY1305\n\n - ECDHE-RSA-CHACHA20-POLY1305\n\n - DHE-RSA-AES128-GCM-SHA256\n\n - DHE-RSA-AES256-GCM-SHA384\n\n - DHE-RSA-CHACHA20-POLY1305\n\n - ECDHE-ECDSA-AES128-SHA256\n\n - ECDHE-RSA-AES128-SHA256\n\n - ECDHE-ECDSA-AES128-SHA\n\n - ECDHE-RSA-AES128-SHA\n\n - ECDHE-ECDSA-AES256-SHA384\n\n - ECDHE-RSA-AES256-SHA384\n\n - ECDHE-ECDSA-AES256-SHA\n\n - ECDHE-RSA-AES256-SHA\n\n - DHE-RSA-AES128-SHA256\n\n - DHE-RSA-AES256-SHA256\n\n - AES128-GCM-SHA256\n\n - AES256-GCM-SHA384\n\n - AES128-SHA256\n\n - AES256-SHA256\n\n - AES128-SHA\n\n - AES256-SHA\n\n - DES-CBC3-SHA\n\n minTLSVersion: VersionTLS10", - "intermediate": "intermediate is a TLS security profile based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29\n\nand looks like this (yaml):\n\n ciphers:\n\n - TLS_AES_128_GCM_SHA256\n\n - TLS_AES_256_GCM_SHA384\n\n - TLS_CHACHA20_POLY1305_SHA256\n\n - ECDHE-ECDSA-AES128-GCM-SHA256\n\n - ECDHE-RSA-AES128-GCM-SHA256\n\n - ECDHE-ECDSA-AES256-GCM-SHA384\n\n - ECDHE-RSA-AES256-GCM-SHA384\n\n - ECDHE-ECDSA-CHACHA20-POLY1305\n\n - ECDHE-RSA-CHACHA20-POLY1305\n\n - DHE-RSA-AES128-GCM-SHA256\n\n - DHE-RSA-AES256-GCM-SHA384\n\n minTLSVersion: VersionTLS12", - "modern": "modern is a TLS security profile based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility\n\nand looks like this (yaml):\n\n ciphers:\n\n - TLS_AES_128_GCM_SHA256\n\n - TLS_AES_256_GCM_SHA384\n\n - TLS_CHACHA20_POLY1305_SHA256\n\n minTLSVersion: VersionTLS13", - "custom": "custom is a user-defined TLS security profile. Be extremely careful using a custom profile as invalid configurations can be catastrophic. An example custom profile looks like this:\n\n ciphers:\n\n - ECDHE-ECDSA-CHACHA20-POLY1305\n\n - ECDHE-RSA-CHACHA20-POLY1305\n\n - ECDHE-RSA-AES128-GCM-SHA256\n\n - ECDHE-ECDSA-AES128-GCM-SHA256\n\n minTLSVersion: VersionTLS11", + "type": "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters.\n\nThe profiles are currently based on version 5.0 of the Mozilla Server Side TLS configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced.", + "old": "old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort.\n\nThe cipher list includes TLS 1.3 ciphers for forward compatibility, followed by the \"old\" profile ciphers.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS10\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384\n - DHE-RSA-CHACHA20-POLY1305\n - ECDHE-ECDSA-AES128-SHA256\n - ECDHE-RSA-AES128-SHA256\n - ECDHE-ECDSA-AES128-SHA\n - ECDHE-RSA-AES128-SHA\n - ECDHE-ECDSA-AES256-SHA384\n - ECDHE-RSA-AES256-SHA384\n - ECDHE-ECDSA-AES256-SHA\n - ECDHE-RSA-AES256-SHA\n - DHE-RSA-AES128-SHA256\n - DHE-RSA-AES256-SHA256\n - AES128-GCM-SHA256\n - AES256-GCM-SHA384\n - AES128-SHA256\n - AES256-SHA256\n - AES128-SHA\n - AES256-SHA\n - DES-CBC3-SHA", + "intermediate": "intermediate is a TLS profile for use when you do not need compatibility with legacy clients and want to remain highly secure while being compatible with most clients currently in use.\n\nThe cipher list includes TLS 1.3 ciphers for forward compatibility, followed by the \"intermediate\" profile ciphers.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS12\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384", + "modern": "modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS13\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256", + "custom": "custom is a user-defined TLS security profile. Be extremely careful using a custom profile as invalid configurations can be catastrophic. An example custom profile looks like this:\n\n minTLSVersion: VersionTLS11\n ciphers:\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256", } func (TLSSecurityProfile) SwaggerDoc() map[string]string { diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs.crd.yaml index b056dc99c17..5d68283c596 100644 --- a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs.crd.yaml +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs.crd.yaml @@ -119,17 +119,12 @@ spec: profile as invalid configurations can be catastrophic. An example custom profile looks like this: + minTLSVersion: VersionTLS11 ciphers: - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - minTLSVersion: VersionTLS11 nullable: true properties: ciphers: @@ -151,8 +146,6 @@ spec: versions 1.1, 1.2 and 1.3 (yaml): minTLSVersion: VersionTLS11 - - NOTE: currently the highest minTLSVersion allowed is VersionTLS12 enum: - VersionTLS10 - VersionTLS11 @@ -162,143 +155,96 @@ spec: type: object intermediate: description: |- - intermediate is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 + intermediate is a TLS profile for use when you do not need compatibility with + legacy clients and want to remain highly secure while being compatible with + most clients currently in use. - and looks like this (yaml): + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS12 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - minTLSVersion: VersionTLS12 nullable: true type: object modern: description: |- - modern is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility - - and looks like this (yaml): + modern is a TLS security profile for use with clients that support TLS 1.3 and + do not need backward compatibility for older clients. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS13 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - minTLSVersion: VersionTLS13 nullable: true type: object old: description: |- - old is a TLS security profile based on: + old is a TLS profile for use when services need to be accessed by very old + clients or libraries and should be used only as a last resort. - https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility - - and looks like this (yaml): + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS10 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - - ECDHE-ECDSA-AES128-SHA256 - - ECDHE-RSA-AES128-SHA256 - - ECDHE-ECDSA-AES128-SHA - - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - - ECDHE-ECDSA-AES256-SHA - - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - - AES128-GCM-SHA256 - - AES256-GCM-SHA384 - - AES128-SHA256 - - AES256-SHA256 - - AES128-SHA - - AES256-SHA - - DES-CBC3-SHA - - minTLSVersion: VersionTLS10 nullable: true type: object type: description: |- - type is one of Old, Intermediate, Modern or Custom. Custom provides - the ability to specify individual TLS security profile parameters. - Old, Intermediate and Modern are TLS security profiles based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + type is one of Old, Intermediate, Modern or Custom. Custom provides the + ability to specify individual TLS security profile parameters. - The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers - are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be - reduced. + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json - Note that the Modern profile is currently not supported because it is not - yet well adopted by common software libraries. + The profiles are intent based, so they may change over time as new ciphers are + developed and existing ciphers are found to be insecure. Depending on + precisely which ciphers are available to a process, the list may be reduced. enum: - Old - Intermediate diff --git a/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/kubeletconfigs.machineconfiguration.openshift.io/AAA_ungated.yaml b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/kubeletconfigs.machineconfiguration.openshift.io/AAA_ungated.yaml index 579f6f2c280..1c527d3c9f8 100644 --- a/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/kubeletconfigs.machineconfiguration.openshift.io/AAA_ungated.yaml +++ b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/kubeletconfigs.machineconfiguration.openshift.io/AAA_ungated.yaml @@ -120,17 +120,12 @@ spec: profile as invalid configurations can be catastrophic. An example custom profile looks like this: + minTLSVersion: VersionTLS11 ciphers: - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - minTLSVersion: VersionTLS11 nullable: true properties: ciphers: @@ -152,8 +147,6 @@ spec: versions 1.1, 1.2 and 1.3 (yaml): minTLSVersion: VersionTLS11 - - NOTE: currently the highest minTLSVersion allowed is VersionTLS12 enum: - VersionTLS10 - VersionTLS11 @@ -163,143 +156,96 @@ spec: type: object intermediate: description: |- - intermediate is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 + intermediate is a TLS profile for use when you do not need compatibility with + legacy clients and want to remain highly secure while being compatible with + most clients currently in use. - and looks like this (yaml): + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS12 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - minTLSVersion: VersionTLS12 nullable: true type: object modern: description: |- - modern is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility - - and looks like this (yaml): + modern is a TLS security profile for use with clients that support TLS 1.3 and + do not need backward compatibility for older clients. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS13 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - minTLSVersion: VersionTLS13 nullable: true type: object old: description: |- - old is a TLS security profile based on: + old is a TLS profile for use when services need to be accessed by very old + clients or libraries and should be used only as a last resort. - https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility - - and looks like this (yaml): + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS10 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - - ECDHE-ECDSA-AES128-SHA256 - - ECDHE-RSA-AES128-SHA256 - - ECDHE-ECDSA-AES128-SHA - - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - - ECDHE-ECDSA-AES256-SHA - - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - - AES128-GCM-SHA256 - - AES256-GCM-SHA384 - - AES128-SHA256 - - AES256-SHA256 - - AES128-SHA - - AES256-SHA - - DES-CBC3-SHA - - minTLSVersion: VersionTLS10 nullable: true type: object type: description: |- - type is one of Old, Intermediate, Modern or Custom. Custom provides - the ability to specify individual TLS security profile parameters. - Old, Intermediate and Modern are TLS security profiles based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + type is one of Old, Intermediate, Modern or Custom. Custom provides the + ability to specify individual TLS security profile parameters. - The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers - are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be - reduced. + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json - Note that the Modern profile is currently not supported because it is not - yet well adopted by common software libraries. + The profiles are intent based, so they may change over time as new ciphers are + developed and existing ciphers are found to be insecure. Depending on + precisely which ciphers are available to a process, the list may be reduced. enum: - Old - Intermediate diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index 776207869f0..2297751d070 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -11786,7 +11786,7 @@ func schema_openshift_api_config_v1_CustomTLSProfile(ref common.ReferenceCallbac }, "minTLSVersion": { SchemaProps: spec.SchemaProps{ - Description: "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n minTLSVersion: VersionTLS11\n\nNOTE: currently the highest minTLSVersion allowed is VersionTLS12", + Description: "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n minTLSVersion: VersionTLS11", Default: "", Type: []string{"string"}, Format: "", @@ -15154,7 +15154,7 @@ func schema_openshift_api_config_v1_IntermediateTLSProfile(ref common.ReferenceC return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "IntermediateTLSProfile is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29", + Description: "IntermediateTLSProfile is a TLS security profile based on the \"intermediate\" configuration of the Mozilla Server Side TLS configuration guidelines.", Type: []string{"object"}, }, }, @@ -15621,7 +15621,7 @@ func schema_openshift_api_config_v1_ModernTLSProfile(ref common.ReferenceCallbac return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "ModernTLSProfile is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility", + Description: "ModernTLSProfile is a TLS security profile based on the \"modern\" configuration of the Mozilla Server Side TLS configuration guidelines.", Type: []string{"object"}, }, }, @@ -17203,7 +17203,7 @@ func schema_openshift_api_config_v1_OldTLSProfile(ref common.ReferenceCallback) return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "OldTLSProfile is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility", + Description: "OldTLSProfile is a TLS security profile based on the \"old\" configuration of the Mozilla Server Side TLS configuration guidelines.", Type: []string{"object"}, }, }, @@ -19887,7 +19887,7 @@ func schema_openshift_api_config_v1_TLSProfileSpec(ref common.ReferenceCallback) }, "minTLSVersion": { SchemaProps: spec.SchemaProps{ - Description: "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n minTLSVersion: VersionTLS11\n\nNOTE: currently the highest minTLSVersion allowed is VersionTLS12", + Description: "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n minTLSVersion: VersionTLS11", Default: "", Type: []string{"string"}, Format: "", @@ -19909,7 +19909,7 @@ func schema_openshift_api_config_v1_TLSSecurityProfile(ref common.ReferenceCallb Properties: map[string]spec.Schema{ "type": { SchemaProps: spec.SchemaProps{ - Description: "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. Old, Intermediate and Modern are TLS security profiles based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced.\n\nNote that the Modern profile is currently not supported because it is not yet well adopted by common software libraries.", + Description: "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters.\n\nThe profiles are currently based on version 5.0 of the Mozilla Server Side TLS configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced.", Default: "", Type: []string{"string"}, Format: "", @@ -19917,25 +19917,25 @@ func schema_openshift_api_config_v1_TLSSecurityProfile(ref common.ReferenceCallb }, "old": { SchemaProps: spec.SchemaProps{ - Description: "old is a TLS security profile based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility\n\nand looks like this (yaml):\n\n ciphers:\n\n - TLS_AES_128_GCM_SHA256\n\n - TLS_AES_256_GCM_SHA384\n\n - TLS_CHACHA20_POLY1305_SHA256\n\n - ECDHE-ECDSA-AES128-GCM-SHA256\n\n - ECDHE-RSA-AES128-GCM-SHA256\n\n - ECDHE-ECDSA-AES256-GCM-SHA384\n\n - ECDHE-RSA-AES256-GCM-SHA384\n\n - ECDHE-ECDSA-CHACHA20-POLY1305\n\n - ECDHE-RSA-CHACHA20-POLY1305\n\n - DHE-RSA-AES128-GCM-SHA256\n\n - DHE-RSA-AES256-GCM-SHA384\n\n - DHE-RSA-CHACHA20-POLY1305\n\n - ECDHE-ECDSA-AES128-SHA256\n\n - ECDHE-RSA-AES128-SHA256\n\n - ECDHE-ECDSA-AES128-SHA\n\n - ECDHE-RSA-AES128-SHA\n\n - ECDHE-ECDSA-AES256-SHA384\n\n - ECDHE-RSA-AES256-SHA384\n\n - ECDHE-ECDSA-AES256-SHA\n\n - ECDHE-RSA-AES256-SHA\n\n - DHE-RSA-AES128-SHA256\n\n - DHE-RSA-AES256-SHA256\n\n - AES128-GCM-SHA256\n\n - AES256-GCM-SHA384\n\n - AES128-SHA256\n\n - AES256-SHA256\n\n - AES128-SHA\n\n - AES256-SHA\n\n - DES-CBC3-SHA\n\n minTLSVersion: VersionTLS10", + Description: "old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort.\n\nThe cipher list includes TLS 1.3 ciphers for forward compatibility, followed by the \"old\" profile ciphers.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS10\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384\n - DHE-RSA-CHACHA20-POLY1305\n - ECDHE-ECDSA-AES128-SHA256\n - ECDHE-RSA-AES128-SHA256\n - ECDHE-ECDSA-AES128-SHA\n - ECDHE-RSA-AES128-SHA\n - ECDHE-ECDSA-AES256-SHA384\n - ECDHE-RSA-AES256-SHA384\n - ECDHE-ECDSA-AES256-SHA\n - ECDHE-RSA-AES256-SHA\n - DHE-RSA-AES128-SHA256\n - DHE-RSA-AES256-SHA256\n - AES128-GCM-SHA256\n - AES256-GCM-SHA384\n - AES128-SHA256\n - AES256-SHA256\n - AES128-SHA\n - AES256-SHA\n - DES-CBC3-SHA", Ref: ref("github.com/openshift/api/config/v1.OldTLSProfile"), }, }, "intermediate": { SchemaProps: spec.SchemaProps{ - Description: "intermediate is a TLS security profile based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29\n\nand looks like this (yaml):\n\n ciphers:\n\n - TLS_AES_128_GCM_SHA256\n\n - TLS_AES_256_GCM_SHA384\n\n - TLS_CHACHA20_POLY1305_SHA256\n\n - ECDHE-ECDSA-AES128-GCM-SHA256\n\n - ECDHE-RSA-AES128-GCM-SHA256\n\n - ECDHE-ECDSA-AES256-GCM-SHA384\n\n - ECDHE-RSA-AES256-GCM-SHA384\n\n - ECDHE-ECDSA-CHACHA20-POLY1305\n\n - ECDHE-RSA-CHACHA20-POLY1305\n\n - DHE-RSA-AES128-GCM-SHA256\n\n - DHE-RSA-AES256-GCM-SHA384\n\n minTLSVersion: VersionTLS12", + Description: "intermediate is a TLS profile for use when you do not need compatibility with legacy clients and want to remain highly secure while being compatible with most clients currently in use.\n\nThe cipher list includes TLS 1.3 ciphers for forward compatibility, followed by the \"intermediate\" profile ciphers.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS12\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384", Ref: ref("github.com/openshift/api/config/v1.IntermediateTLSProfile"), }, }, "modern": { SchemaProps: spec.SchemaProps{ - Description: "modern is a TLS security profile based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility\n\nand looks like this (yaml):\n\n ciphers:\n\n - TLS_AES_128_GCM_SHA256\n\n - TLS_AES_256_GCM_SHA384\n\n - TLS_CHACHA20_POLY1305_SHA256\n\n minTLSVersion: VersionTLS13", + Description: "modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS13\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256", Ref: ref("github.com/openshift/api/config/v1.ModernTLSProfile"), }, }, "custom": { SchemaProps: spec.SchemaProps{ - Description: "custom is a user-defined TLS security profile. Be extremely careful using a custom profile as invalid configurations can be catastrophic. An example custom profile looks like this:\n\n ciphers:\n\n - ECDHE-ECDSA-CHACHA20-POLY1305\n\n - ECDHE-RSA-CHACHA20-POLY1305\n\n - ECDHE-RSA-AES128-GCM-SHA256\n\n - ECDHE-ECDSA-AES128-GCM-SHA256\n\n minTLSVersion: VersionTLS11", + Description: "custom is a user-defined TLS security profile. Be extremely careful using a custom profile as invalid configurations can be catastrophic. An example custom profile looks like this:\n\n minTLSVersion: VersionTLS11\n ciphers:\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256", Ref: ref("github.com/openshift/api/config/v1.CustomTLSProfile"), }, }, diff --git a/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers.crd.yaml index d37991c458c..fa03ef576c8 100644 --- a/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers.crd.yaml +++ b/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers.crd.yaml @@ -1994,17 +1994,12 @@ spec: profile as invalid configurations can be catastrophic. An example custom profile looks like this: + minTLSVersion: VersionTLS11 ciphers: - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - minTLSVersion: VersionTLS11 nullable: true properties: ciphers: @@ -2026,8 +2021,6 @@ spec: versions 1.1, 1.2 and 1.3 (yaml): minTLSVersion: VersionTLS11 - - NOTE: currently the highest minTLSVersion allowed is VersionTLS12 enum: - VersionTLS10 - VersionTLS11 @@ -2037,143 +2030,96 @@ spec: type: object intermediate: description: |- - intermediate is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 + intermediate is a TLS profile for use when you do not need compatibility with + legacy clients and want to remain highly secure while being compatible with + most clients currently in use. - and looks like this (yaml): + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS12 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - minTLSVersion: VersionTLS12 nullable: true type: object modern: description: |- - modern is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility - - and looks like this (yaml): + modern is a TLS security profile for use with clients that support TLS 1.3 and + do not need backward compatibility for older clients. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS13 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - minTLSVersion: VersionTLS13 nullable: true type: object old: description: |- - old is a TLS security profile based on: + old is a TLS profile for use when services need to be accessed by very old + clients or libraries and should be used only as a last resort. - https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility - - and looks like this (yaml): + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS10 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - - ECDHE-ECDSA-AES128-SHA256 - - ECDHE-RSA-AES128-SHA256 - - ECDHE-ECDSA-AES128-SHA - - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - - ECDHE-ECDSA-AES256-SHA - - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - - AES128-GCM-SHA256 - - AES256-GCM-SHA384 - - AES128-SHA256 - - AES256-SHA256 - - AES128-SHA - - AES256-SHA - - DES-CBC3-SHA - - minTLSVersion: VersionTLS10 nullable: true type: object type: description: |- - type is one of Old, Intermediate, Modern or Custom. Custom provides - the ability to specify individual TLS security profile parameters. - Old, Intermediate and Modern are TLS security profiles based on: + type is one of Old, Intermediate, Modern or Custom. Custom provides the + ability to specify individual TLS security profile parameters. - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json - The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers - are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be - reduced. - - Note that the Modern profile is currently not supported because it is not - yet well adopted by common software libraries. + The profiles are intent based, so they may change over time as new ciphers are + developed and existing ciphers are found to be insecure. Depending on + precisely which ciphers are available to a process, the list may be reduced. enum: - Old - Intermediate @@ -3323,8 +3269,6 @@ spec: versions 1.1, 1.2 and 1.3 (yaml): minTLSVersion: VersionTLS11 - - NOTE: currently the highest minTLSVersion allowed is VersionTLS12 enum: - VersionTLS10 - VersionTLS11 diff --git a/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml b/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml index 06666a2e7ca..78744d6cb00 100644 --- a/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml +++ b/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml @@ -1988,17 +1988,12 @@ spec: profile as invalid configurations can be catastrophic. An example custom profile looks like this: + minTLSVersion: VersionTLS11 ciphers: - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - minTLSVersion: VersionTLS11 nullable: true properties: ciphers: @@ -2020,8 +2015,6 @@ spec: versions 1.1, 1.2 and 1.3 (yaml): minTLSVersion: VersionTLS11 - - NOTE: currently the highest minTLSVersion allowed is VersionTLS12 enum: - VersionTLS10 - VersionTLS11 @@ -2031,143 +2024,96 @@ spec: type: object intermediate: description: |- - intermediate is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 + intermediate is a TLS profile for use when you do not need compatibility with + legacy clients and want to remain highly secure while being compatible with + most clients currently in use. - and looks like this (yaml): + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS12 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - minTLSVersion: VersionTLS12 nullable: true type: object modern: description: |- - modern is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility - - and looks like this (yaml): + modern is a TLS security profile for use with clients that support TLS 1.3 and + do not need backward compatibility for older clients. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS13 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - minTLSVersion: VersionTLS13 nullable: true type: object old: description: |- - old is a TLS security profile based on: + old is a TLS profile for use when services need to be accessed by very old + clients or libraries and should be used only as a last resort. - https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility - - and looks like this (yaml): + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS10 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - - ECDHE-ECDSA-AES128-SHA256 - - ECDHE-RSA-AES128-SHA256 - - ECDHE-ECDSA-AES128-SHA - - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - - ECDHE-ECDSA-AES256-SHA - - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - - AES128-GCM-SHA256 - - AES256-GCM-SHA384 - - AES128-SHA256 - - AES256-SHA256 - - AES128-SHA - - AES256-SHA - - DES-CBC3-SHA - - minTLSVersion: VersionTLS10 nullable: true type: object type: description: |- - type is one of Old, Intermediate, Modern or Custom. Custom provides - the ability to specify individual TLS security profile parameters. - Old, Intermediate and Modern are TLS security profiles based on: + type is one of Old, Intermediate, Modern or Custom. Custom provides the + ability to specify individual TLS security profile parameters. - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json - The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers - are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be - reduced. - - Note that the Modern profile is currently not supported because it is not - yet well adopted by common software libraries. + The profiles are intent based, so they may change over time as new ciphers are + developed and existing ciphers are found to be insecure. Depending on + precisely which ciphers are available to a process, the list may be reduced. enum: - Old - Intermediate @@ -3306,8 +3252,6 @@ spec: versions 1.1, 1.2 and 1.3 (yaml): minTLSVersion: VersionTLS11 - - NOTE: currently the highest minTLSVersion allowed is VersionTLS12 enum: - VersionTLS10 - VersionTLS11 diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml index f4416bf9b3c..86a51460699 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml @@ -305,17 +305,12 @@ spec: profile as invalid configurations can be catastrophic. An example custom profile looks like this: + minTLSVersion: VersionTLS11 ciphers: - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - minTLSVersion: VersionTLS11 nullable: true properties: ciphers: @@ -337,8 +332,6 @@ spec: versions 1.1, 1.2 and 1.3 (yaml): minTLSVersion: VersionTLS11 - - NOTE: currently the highest minTLSVersion allowed is VersionTLS12 enum: - VersionTLS10 - VersionTLS11 @@ -348,143 +341,96 @@ spec: type: object intermediate: description: |- - intermediate is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 + intermediate is a TLS profile for use when you do not need compatibility with + legacy clients and want to remain highly secure while being compatible with + most clients currently in use. - and looks like this (yaml): + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS12 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - minTLSVersion: VersionTLS12 nullable: true type: object modern: description: |- - modern is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility - - and looks like this (yaml): + modern is a TLS security profile for use with clients that support TLS 1.3 and + do not need backward compatibility for older clients. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS13 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - minTLSVersion: VersionTLS13 nullable: true type: object old: description: |- - old is a TLS security profile based on: + old is a TLS profile for use when services need to be accessed by very old + clients or libraries and should be used only as a last resort. - https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility - - and looks like this (yaml): + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS10 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - - ECDHE-ECDSA-AES128-SHA256 - - ECDHE-RSA-AES128-SHA256 - - ECDHE-ECDSA-AES128-SHA - - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - - ECDHE-ECDSA-AES256-SHA - - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - - AES128-GCM-SHA256 - - AES256-GCM-SHA384 - - AES128-SHA256 - - AES256-SHA256 - - AES128-SHA - - AES256-SHA - - DES-CBC3-SHA - - minTLSVersion: VersionTLS10 nullable: true type: object type: description: |- - type is one of Old, Intermediate, Modern or Custom. Custom provides - the ability to specify individual TLS security profile parameters. - Old, Intermediate and Modern are TLS security profiles based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + type is one of Old, Intermediate, Modern or Custom. Custom provides the + ability to specify individual TLS security profile parameters. - The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers - are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be - reduced. + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json - Note that the Modern profile is currently not supported because it is not - yet well adopted by common software libraries. + The profiles are intent based, so they may change over time as new ciphers are + developed and existing ciphers are found to be insecure. Depending on + precisely which ciphers are available to a process, the list may be reduced. enum: - Old - Intermediate diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-Default.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-Default.crd.yaml index 37662cb58d8..50548951789 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-Default.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-Default.crd.yaml @@ -236,17 +236,12 @@ spec: profile as invalid configurations can be catastrophic. An example custom profile looks like this: + minTLSVersion: VersionTLS11 ciphers: - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - minTLSVersion: VersionTLS11 nullable: true properties: ciphers: @@ -268,8 +263,6 @@ spec: versions 1.1, 1.2 and 1.3 (yaml): minTLSVersion: VersionTLS11 - - NOTE: currently the highest minTLSVersion allowed is VersionTLS12 enum: - VersionTLS10 - VersionTLS11 @@ -279,143 +272,96 @@ spec: type: object intermediate: description: |- - intermediate is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 + intermediate is a TLS profile for use when you do not need compatibility with + legacy clients and want to remain highly secure while being compatible with + most clients currently in use. - and looks like this (yaml): + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS12 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - minTLSVersion: VersionTLS12 nullable: true type: object modern: description: |- - modern is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility - - and looks like this (yaml): + modern is a TLS security profile for use with clients that support TLS 1.3 and + do not need backward compatibility for older clients. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS13 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - minTLSVersion: VersionTLS13 nullable: true type: object old: description: |- - old is a TLS security profile based on: + old is a TLS profile for use when services need to be accessed by very old + clients or libraries and should be used only as a last resort. - https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility - - and looks like this (yaml): + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS10 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - - ECDHE-ECDSA-AES128-SHA256 - - ECDHE-RSA-AES128-SHA256 - - ECDHE-ECDSA-AES128-SHA - - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - - ECDHE-ECDSA-AES256-SHA - - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - - AES128-GCM-SHA256 - - AES256-GCM-SHA384 - - AES128-SHA256 - - AES256-SHA256 - - AES128-SHA - - AES256-SHA - - DES-CBC3-SHA - - minTLSVersion: VersionTLS10 nullable: true type: object type: description: |- - type is one of Old, Intermediate, Modern or Custom. Custom provides - the ability to specify individual TLS security profile parameters. - Old, Intermediate and Modern are TLS security profiles based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + type is one of Old, Intermediate, Modern or Custom. Custom provides the + ability to specify individual TLS security profile parameters. - The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers - are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be - reduced. + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json - Note that the Modern profile is currently not supported because it is not - yet well adopted by common software libraries. + The profiles are intent based, so they may change over time as new ciphers are + developed and existing ciphers are found to be insecure. Depending on + precisely which ciphers are available to a process, the list may be reduced. enum: - Old - Intermediate diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml index bfeefa11f36..f4dec273978 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml @@ -305,17 +305,12 @@ spec: profile as invalid configurations can be catastrophic. An example custom profile looks like this: + minTLSVersion: VersionTLS11 ciphers: - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - minTLSVersion: VersionTLS11 nullable: true properties: ciphers: @@ -337,8 +332,6 @@ spec: versions 1.1, 1.2 and 1.3 (yaml): minTLSVersion: VersionTLS11 - - NOTE: currently the highest minTLSVersion allowed is VersionTLS12 enum: - VersionTLS10 - VersionTLS11 @@ -348,143 +341,96 @@ spec: type: object intermediate: description: |- - intermediate is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 + intermediate is a TLS profile for use when you do not need compatibility with + legacy clients and want to remain highly secure while being compatible with + most clients currently in use. - and looks like this (yaml): + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS12 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - minTLSVersion: VersionTLS12 nullable: true type: object modern: description: |- - modern is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility - - and looks like this (yaml): + modern is a TLS security profile for use with clients that support TLS 1.3 and + do not need backward compatibility for older clients. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS13 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - minTLSVersion: VersionTLS13 nullable: true type: object old: description: |- - old is a TLS security profile based on: + old is a TLS profile for use when services need to be accessed by very old + clients or libraries and should be used only as a last resort. - https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility - - and looks like this (yaml): + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS10 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - - ECDHE-ECDSA-AES128-SHA256 - - ECDHE-RSA-AES128-SHA256 - - ECDHE-ECDSA-AES128-SHA - - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - - ECDHE-ECDSA-AES256-SHA - - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - - AES128-GCM-SHA256 - - AES256-GCM-SHA384 - - AES128-SHA256 - - AES256-SHA256 - - AES128-SHA - - AES256-SHA - - DES-CBC3-SHA - - minTLSVersion: VersionTLS10 nullable: true type: object type: description: |- - type is one of Old, Intermediate, Modern or Custom. Custom provides - the ability to specify individual TLS security profile parameters. - Old, Intermediate and Modern are TLS security profiles based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + type is one of Old, Intermediate, Modern or Custom. Custom provides the + ability to specify individual TLS security profile parameters. - The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers - are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be - reduced. + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json - Note that the Modern profile is currently not supported because it is not - yet well adopted by common software libraries. + The profiles are intent based, so they may change over time as new ciphers are + developed and existing ciphers are found to be insecure. Depending on + precisely which ciphers are available to a process, the list may be reduced. enum: - Old - Intermediate diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml index a49976e0dfd..6206ad77a82 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml @@ -305,17 +305,12 @@ spec: profile as invalid configurations can be catastrophic. An example custom profile looks like this: + minTLSVersion: VersionTLS11 ciphers: - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - minTLSVersion: VersionTLS11 nullable: true properties: ciphers: @@ -337,8 +332,6 @@ spec: versions 1.1, 1.2 and 1.3 (yaml): minTLSVersion: VersionTLS11 - - NOTE: currently the highest minTLSVersion allowed is VersionTLS12 enum: - VersionTLS10 - VersionTLS11 @@ -348,143 +341,96 @@ spec: type: object intermediate: description: |- - intermediate is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 + intermediate is a TLS profile for use when you do not need compatibility with + legacy clients and want to remain highly secure while being compatible with + most clients currently in use. - and looks like this (yaml): + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS12 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - minTLSVersion: VersionTLS12 nullable: true type: object modern: description: |- - modern is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility - - and looks like this (yaml): + modern is a TLS security profile for use with clients that support TLS 1.3 and + do not need backward compatibility for older clients. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS13 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - minTLSVersion: VersionTLS13 nullable: true type: object old: description: |- - old is a TLS security profile based on: + old is a TLS profile for use when services need to be accessed by very old + clients or libraries and should be used only as a last resort. - https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility - - and looks like this (yaml): + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS10 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - - ECDHE-ECDSA-AES128-SHA256 - - ECDHE-RSA-AES128-SHA256 - - ECDHE-ECDSA-AES128-SHA - - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - - ECDHE-ECDSA-AES256-SHA - - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - - AES128-GCM-SHA256 - - AES256-GCM-SHA384 - - AES128-SHA256 - - AES256-SHA256 - - AES128-SHA - - AES256-SHA - - DES-CBC3-SHA - - minTLSVersion: VersionTLS10 nullable: true type: object type: description: |- - type is one of Old, Intermediate, Modern or Custom. Custom provides - the ability to specify individual TLS security profile parameters. - Old, Intermediate and Modern are TLS security profiles based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + type is one of Old, Intermediate, Modern or Custom. Custom provides the + ability to specify individual TLS security profile parameters. - The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers - are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be - reduced. + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json - Note that the Modern profile is currently not supported because it is not - yet well adopted by common software libraries. + The profiles are intent based, so they may change over time as new ciphers are + developed and existing ciphers are found to be insecure. Depending on + precisely which ciphers are available to a process, the list may be reduced. enum: - Old - Intermediate diff --git a/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs.crd.yaml b/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs.crd.yaml index b056dc99c17..5d68283c596 100644 --- a/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs.crd.yaml +++ b/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs.crd.yaml @@ -119,17 +119,12 @@ spec: profile as invalid configurations can be catastrophic. An example custom profile looks like this: + minTLSVersion: VersionTLS11 ciphers: - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - minTLSVersion: VersionTLS11 nullable: true properties: ciphers: @@ -151,8 +146,6 @@ spec: versions 1.1, 1.2 and 1.3 (yaml): minTLSVersion: VersionTLS11 - - NOTE: currently the highest minTLSVersion allowed is VersionTLS12 enum: - VersionTLS10 - VersionTLS11 @@ -162,143 +155,96 @@ spec: type: object intermediate: description: |- - intermediate is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 + intermediate is a TLS profile for use when you do not need compatibility with + legacy clients and want to remain highly secure while being compatible with + most clients currently in use. - and looks like this (yaml): + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS12 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - minTLSVersion: VersionTLS12 nullable: true type: object modern: description: |- - modern is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility - - and looks like this (yaml): + modern is a TLS security profile for use with clients that support TLS 1.3 and + do not need backward compatibility for older clients. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS13 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - minTLSVersion: VersionTLS13 nullable: true type: object old: description: |- - old is a TLS security profile based on: + old is a TLS profile for use when services need to be accessed by very old + clients or libraries and should be used only as a last resort. - https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility - - and looks like this (yaml): + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS10 ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - - ECDHE-ECDSA-AES128-SHA256 - - ECDHE-RSA-AES128-SHA256 - - ECDHE-ECDSA-AES128-SHA - - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - - ECDHE-ECDSA-AES256-SHA - - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - - AES128-GCM-SHA256 - - AES256-GCM-SHA384 - - AES128-SHA256 - - AES256-SHA256 - - AES128-SHA - - AES256-SHA - - DES-CBC3-SHA - - minTLSVersion: VersionTLS10 nullable: true type: object type: description: |- - type is one of Old, Intermediate, Modern or Custom. Custom provides - the ability to specify individual TLS security profile parameters. - Old, Intermediate and Modern are TLS security profiles based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + type is one of Old, Intermediate, Modern or Custom. Custom provides the + ability to specify individual TLS security profile parameters. - The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers - are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be - reduced. + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json - Note that the Modern profile is currently not supported because it is not - yet well adopted by common software libraries. + The profiles are intent based, so they may change over time as new ciphers are + developed and existing ciphers are found to be insecure. Depending on + precisely which ciphers are available to a process, the list may be reduced. enum: - Old - Intermediate