Update the default TLS ciphers list

This patch updates the default TLS ciphers list to reflect the current recommended ciphers. Closes-Bug: #2109688 Change-Id: I8da32d633c546b09662ad18ba1eff3007f4a3ccc
2025-05-01 21:49:22 +00:00
parent 8ebf8d27c4
commit c031784a61
2 changed files with 33 additions and 6 deletions
--- a/octavia/common/constants.py
+++ b/octavia/common/constants.py
@@ -896,13 +896,16 @@ CINDER_ACTION_CREATE_VOLUME = 'create volume'
 NIL_UUID = '00000000-0000-0000-0000-000000000000'

 # OpenSSL cipher strings
-CIPHERS_OWASP_SUITE_B = ('TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:'
-                         'TLS_AES_128_GCM_SHA256:DHE-RSA-AES256-GCM-SHA384:'
-                         'DHE-RSA-AES128-GCM-SHA256:'
+CIPHERS_OWASP_SUITE_B = ('TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:'
+                         'TLS_CHACHA20_POLY1305_SHA256:'
+                         'ECDHE-ECDSA-AES128-GCM-SHA256:'
+                         'ECDHE-RSA-AES128-GCM-SHA256:'
+                         'ECDHE-ECDSA-AES256-GCM-SHA384:'
                         'ECDHE-RSA-AES256-GCM-SHA384:'
-                         'ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:'
-                         'DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:'
-                         'ECDHE-RSA-AES128-SHA256')
+                         'ECDHE-ECDSA-CHACHA20-POLY1305:'
+                         'ECDHE-RSA-CHACHA20-POLY1305:'
+                         'DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:'
+                         'DHE-RSA-CHACHA20-POLY1305')

 TLS_VERSIONS_OWASP_SUITE_B = [lib_consts.TLS_VERSION_1_2,
                              lib_consts.TLS_VERSION_1_3]
--- a/releasenotes/notes/Updated-default-TLS-cipher-suites-7359fe87fc246618.yaml
+++ b/releasenotes/notes/Updated-default-TLS-cipher-suites-7359fe87fc246618.yaml
@@ -0,0 +1,24 @@
+---
+upgrade:
+  - |
+    The default TLS cipher suite list has been updated to the current
+    'intermediate' recommendations. Load balancers will need to be failed over
+    to use the new default list if the operator and user opted for the Octavia
+    default cipher list.
+security:
+  - |
+    Updated the default TLS cipher suites based on current OWASP/Mozilla.org
+    recommendations for Intermediate compatibility. The new default list is\:
+
+    - TLS_AES_128_GCM_SHA256
+    - TLS_AES_256_GCM_SHA384
+    - TLS_CHACHA20_POLY1305_SHA256
+    - ECDHE-ECDSA-AES128-GCM-SHA256
+    - ECDHE-RSA-AES128-GCM-SHA256
+    - ECDHE-ECDSA-AES256-GCM-SHA384
+    - ECDHE-RSA-AES256-GCM-SHA384
+    - ECDHE-ECDSA-CHACHA20-POLY1305
+    - ECDHE-RSA-CHACHA20-POLY1305
+    - DHE-RSA-AES128-GCM-SHA256
+    - DHE-RSA-AES256-GCM-SHA384
+    - DHE-RSA-CHACHA20-POLY1305