tls: limit version to 1.2 only and selected ciphers

Signed-off-by: Tuomas Katila <tuomas.katila@intel.com>
2025-06-03 03:59:37 +00:00 · 2024-08-20 11:58:38 +03:00 · 2024-08-20 11:58:38 +03:00 · 1a13dcd3e2
commit 1a13dcd3e2
parent 333d6369db
3 changed files with 24 additions and 3 deletions
--- a/cmd/fpga_admissionwebhook/main.go
+++ b/cmd/fpga_admissionwebhook/main.go
@ -55,7 +55,14 @@ func main() {
 	ctrl.SetLogger(textlogger.NewLogger(tlConf))

 	tlsCfgFunc := func(cfg *tls.Config) {
-		cfg.MinVersion = tls.VersionTLS13
+		cfg.MinVersion = tls.VersionTLS12
+		cfg.MaxVersion = tls.VersionTLS12
+		cfg.CipherSuites = []uint16{
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+		}
 	}

 	webhookOptions := webhook.Options{
--- a/cmd/operator/main.go
+++ b/cmd/operator/main.go
@ -135,7 +135,14 @@ func main() {
 	}

 	tlsCfgFunc := func(cfg *tls.Config) {
-		cfg.MinVersion = tls.VersionTLS13
+		cfg.MinVersion = tls.VersionTLS12
+		cfg.MaxVersion = tls.VersionTLS12
+		cfg.CipherSuites = []uint16{
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+		}
 	}

 	webhookOptions := webhook.Options{
--- a/cmd/sgx_admissionwebhook/main.go
+++ b/cmd/sgx_admissionwebhook/main.go
@ -37,7 +37,14 @@ func main() {
 	ctrl.SetLogger(textlogger.NewLogger(tlConf))

 	tlsCfgFunc := func(cfg *tls.Config) {
-		cfg.MinVersion = tls.VersionTLS13
+		cfg.MinVersion = tls.VersionTLS12
+		cfg.MaxVersion = tls.VersionTLS12
+		cfg.CipherSuites = []uint16{
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+		}
 	}

 	webhookOptions := webhook.Options{