grpc-go icon indicating copy to clipboard operation
grpc-go copied to clipboard

Published 20 hours ago verified publisher icon grpc

tls: clarify/cleanup TLS cipher list

Open easwars opened this issue 3 years ago • 1 comments

We define a map from TLS cipher suite consts to string which is used here

In the Go stdlib some of these are marked as insecure. See here

Some questions that we should try answering:

The way we use our map is not very problematic in the sense that if we don't find the actual cipher suite being used in our map, we end up setting the corresponding value returned to channelz to an empty string. So, this won't cause a panic or cause us to use a cipher suite which is not supported. But it would be worth thinking about this and figuring if we can do anything better here.

easwars avatar Dec 23 '21 22:12 easwars

Do we need to keep this map in sync with the latest Go version?

Not with "the latest" version, but every version.

Go stdlib returns a list of secure cipher suites and insecure cipher suites. Should we use these and dynamically populate our cipherSuites map?

With these, we don't even need to maintain our copy, do we?

dfawley avatar Dec 23 '21 23:12 dfawley

Go stdlib returns a list of secure cipher suites and insecure cipher suites. Should we use these and dynamically populate our cipherSuites map?

With these, we don't even need to maintain our copy, do we?

There's two concerns I see, based on a quick look at https://cs.opensource.google/go/go/+/refs/tags/go1.21.2:src/crypto/tls/cipher_suites.go;l=53

  1. The suite currently specified contains elements from the InsecureCipherSuites
  2. I note that there are annotations to indicate the compatibility level with TLS version, not sure if that needs to be considered

bcr avatar Oct 10 '23 06:10 bcr

The suite currently specified contains elements from the InsecureCipherSuites

That seems fine, but just means we need to look in two places, potentially.

I note that there are annotations to indicate the compatibility level with TLS version, not sure if that needs to be considered

This map is just used to convert the TLS cipher suite actually used on a connection into a string for debugging purposes, so I think we can just blindly look it up in the map(s) and report it.

dfawley avatar Oct 10 '23 15:10 dfawley

Do you want to keep the cipherSuiteLookup map which is only used in that one place (and I build it from both of the cipher suites), or I can just make it a function that does the scavenger hunt in both of the cipher suites without the intermediate map.

My current plan is to make it a function that does the scavenger hunt with no intermediate map.

bcr avatar Oct 10 '23 17:10 bcr