Skip to content

IANA TLS cipher names rejected in ClientTrafficPolicy after v1.8.0 #9058

Description

@zhaohuabing

Description:

Envoy Gateway v1.8.0 rejects IANA/RFC TLS cipher suite names in ClientTrafficPolicy, even though Envoy itself accepts them.

This worked before v1.8.0 because the cipher suite names were passed through to Envoy. Starting in v1.8.0, EG added stricter validation for CTP TLS ciphers and now rejects IANA names such as:

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256

with an error like:

TLS: unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

This breaks existing CTPs with IANA ciphers names configured.

Expected behavior

Envoy Gateway should accept IANA cipher suite names that Envoy accepts, it could:

  • pass IANA cipher suite nemes to Envoy, or
  • normalize them to Envoy/OpenSSL-style names before validation/xDS generation.

Metadata

Metadata

Assignees

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions