Description:
Envoy Gateway v1.8.0 rejects IANA/RFC TLS cipher suite names in ClientTrafficPolicy, even though Envoy itself accepts them.
This worked before v1.8.0 because the cipher suite names were passed through to Envoy. Starting in v1.8.0, EG added stricter validation for CTP TLS ciphers and now rejects IANA names such as:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
with an error like:
TLS: unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
This breaks existing CTPs with IANA ciphers names configured.
Expected behavior
Envoy Gateway should accept IANA cipher suite names that Envoy accepts, it could:
- pass IANA cipher suite nemes to Envoy, or
- normalize them to Envoy/OpenSSL-style names before validation/xDS generation.
Description:
Envoy Gateway v1.8.0 rejects IANA/RFC TLS cipher suite names in
ClientTrafficPolicy, even though Envoy itself accepts them.This worked before v1.8.0 because the cipher suite names were passed through to Envoy. Starting in v1.8.0, EG added stricter validation for CTP TLS ciphers and now rejects IANA names such as:
with an error like:
This breaks existing CTPs with IANA ciphers names configured.
Expected behavior
Envoy Gateway should accept IANA cipher suite names that Envoy accepts, it could: