Comments (4)
Thanks for the issue. I suspect what we should do is allow the user to limit the hard-coded ciphers. I think this would be like performing a union intersection on the hard-coded and the provided ciphers to achieve the actual result.
For example, if this is the hardcoded list:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
And this is the user-provided list:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
The resulting ciphers will actually be configured:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
from pinniped.
You mean an intersection right. Not a Union. I believe that should solve the current issue
from pinniped.
Hello team, I have one customer requests adding the ability to configure the ciphers to Pinniped.
added the feature to open source Pinniped for TKGm 2.4.
RSA_WITH_AES_128_CBC_SHA
RSA_WITH_AES_256_CBC_SHA
RSA_WITH_AES_128_CBC_SHA256
RSA_WITH_AES_256_CBC_SHA256
RSA_WITH_AES_128_GCM_SHA256
RSA_WITH_AES_256_GCM_SHA384
from pinniped.
I will start this work for opensource Pinniped soon. Adding the feature to a product that uses Pinniped (such as TKGm) is a different scope of work.
from pinniped.
Related Issues (20)
- Document how to debug LDAPIdentity provider spec using `ldapsearch` CLI and pod logs
- Add Carvel package proposal (please update with more detail) HOT 4
- The local-user-authenticator-tls-serving-certificate is not actually a TLS serving cert, it is a CA HOT 3
- Session expires based on ID Token instead of Access Token HOT 2
- Pinniped CLI version command should match `kubectl version` HOT 2
- API Discovery (`kubectl explain`) should work for OpenAPIv3 and aggregate APIs
- Aggregate APIs should not have name `Generic API Server` HOT 1
- show interstitial web page to allow user to choose IDP when multiple IDPs are configured and authorize endpoint query param to choose IDP is not used
- Support/ignore injected sidecar containers in the kube cert agent pod
- Add to Pinniped.dev: FederationDomain transformation playground
- The Concierge Impersonation Proxy should use a service account token from the TokenRequest API HOT 2
- Removing the concierge secret makes ingress-nginx reload fail HOT 2
- Bump "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp" version to 0.44.0 HOT 1
- Use non-deprecated mock generator
- [Proposal] Authenticating Users via GitHub
- Feature Request: Improve Pinniped OIDC Auth Experience with Browser Link Option HOT 17
- Allow a volumemount certificate reference to be used by JWTAuthenticator HOT 6
- Cleanup conditions_util and ensure it is thoroughly tested
- TokenCredentialRequestAPI related errors when ImpersonationProxy is being used instead HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pinniped.