Skip to content

Make TLS ciphers configurable for ApiSix Helm Chart#834

Closed
boscard wants to merge 3 commits intoapache:masterfrom
boscard:master
Closed

Make TLS ciphers configurable for ApiSix Helm Chart#834
boscard wants to merge 3 commits intoapache:masterfrom
boscard:master

Conversation

@boscard
Copy link
Copy Markdown

@boscard boscard commented Jun 13, 2025

This PR will:

  • update values.yaml and configmap.yaml of ApiSix Helm Chart to allow easy configuration of list of TLS cipehrs
  • remove DES-CBC3-SHA as it is considered as unsafe
nmap -Pn -p 443 --script ssl-enum-ciphers my.dev.setup.com
 Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-12 15:40 PDT
 Nmap scan report for my.dev.setup.com (1.2.3.4)
 Host is up (0.69s latency).
 
 PORT    STATE SERVICE
 443/tcp open  https
 | ssl-enum-ciphers:
 |   TLSv1.2:
 |     ciphers:
 |       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
 |       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
 |       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
 |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
 |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
 |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
 |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
 |       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
 |       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
 |       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
 |       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
 |       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
 |       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
 |       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
 |     compressors:
 |       NULL
 |     cipher preference: server
 |     warnings:
 |       64-bit block cipher 3DES vulnerable to SWEET32 attack
 |   TLSv1.3:
 |     ciphers:
 |       TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
 |       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
 |       TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
 |     cipher preference: server
 |_  least strength: C

@boscard boscard mentioned this pull request Jun 13, 2025
Open
@juzhiyuan
Copy link
Copy Markdown
Member

juzhiyuan commented Aug 14, 2025

Hi @boscard, I didn't notice this PR before creating this one: b1cfc96

Can you review the latest changes please?

@boscard
Copy link
Copy Markdown
Author

boscard commented Aug 14, 2025

Hi @boscard, I didn't notice this PR before creating this one: b1cfc96

Can you review the latest changes please?

There is still DES-CBC3-SHA but at least it is easy to configure now.
Thx @juzhiyuan :)

@boscard boscard closed this Aug 14, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@boscard @juzhiyuan