Comments (11)
in some older kernel , tls 1.3 can not be supported, why not like envoy make min version tls 1.2
from ztunnel.
Restrict to 1.3
Use a strict cipher set
from ztunnel.
Should this be configurable or static?
from ztunnel.
Why is the kernel involved? TLS is done is user space...?
from ztunnel.
To be accurate it should be the lib that an os installed
from ztunnel.
We statically link the SSL library (like Envoy and Go)
from ztunnel.
IC, that make sense
from ztunnel.
Is this task for tuning the HBONE connection TLS settings?
I'm asking because currently min/max version is already 1.3: https://github.com/istio/ztunnel/blob/master/src/tls/boring.rs#L172
from ztunnel.
Yes, its more than just version. The SSL libraries are probably the most unfriendly APIs ever designed. For every option, there are 3 ways to set it, and there are 100s of options. We need to make sure we pick the ones that are most secure and performant.
from ztunnel.
@howardjohn has this been implemented already? If not, is this required for zTunnel reaching Alpha in OSS?
from ztunnel.
IMO it should be a blocker for someone to give it a pass over to make sure we are using secure settings. Shouldn't be too much effort
from ztunnel.
Related Issues (20)
- Provide a new label for metrics regarding destination type HOT 3
- Issue trying ambient mode on an ipv4-only k8s cluster HOT 13
- [release-1.22] h2: remove illegal double oneshot recv HOT 1
- [release-1.22] Properly handle named targetPort services
- dualstack: DNS always returns both IP families regardless of service configuration
- Support dual-stack localhost binding for DNS
- Emit end-of-process access logs
- Stress test on-demand DNS querying
- [release-1.22] Add option for disabling IPv6 HOT 1
- local_address and peer_address can panic
- Ztunnel does not scale up with number of worker threads in expected way HOT 13
- Implement DNS-over-TCP redirection HOT 1
- Do not error if the app sends a RST
- Implement improved draining HOT 14
- CVE-2023-4039 when will fix ? HOT 4
- Failure to do `apk update` when ambient captured from wolfi pods HOT 2
- Refactoring improvements now that we have a proxy-per-workload approach HOT 4
- Feature Request: Allow Customized XDS Address to be set HOT 7
- log output in json format HOT 1
- failed to connect to server "/var/run/ztunnel/ztunnel.sock" HOT 12
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ztunnel.