Reputation: 1971
Enovy error - The following ciphers were rejected when tried individually: TLS_AES_128_GCM_SHA256
In istio 1.5.1, when I tried to add a particular cipher suit to the gateway's tls section using this syntax:
minProtocolVersion: TLSV1_3
mode: SIMPLE
cipherSuites: [TLS_AES_128_GCM_SHA256]
I got the following error in the istio-ingress pod's logs:
[Envoy (Epoch 0)] [2020-06-08 15:15:44.033][22][warning][config] [external/envoy/source/common/config/grpc_subscription_impl.cc:87]
gRPC config for type.googleapis.com/envoy.api.v2.Listener rejected:
Error adding/updating listener(s) 0.0.0.0_443: Failed to initialize cipher suites TLS_AES_128_GCM_SHA256.
The following ciphers were rejected when tried individually: TLS_AES_128_GCM_SHA256
If I remove the cipherSuites line from the tls section, there is no errors, and the same cipher suit appears in the list of valid cipher suits.
Any advise? Thanks
Upvotes: 0
Views: 1329
Answers (1)
Reputation: 8830
As far as I checked in envoy documentation And BoringSSL documentation
TLS 1.3 ciphers do not participate in this mechanism and instead have a built-in preference order. Functions to set cipher lists do not affect TLS 1.3, and functions to query the cipher list do not include TLS 1.3 ciphers.
cipher_suites
If specified, the TLS listener will only support the specified cipher list when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). If not specified, the default list will be used.
In non-FIPS builds, the default cipher list is:
[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]
ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES128-SHA
AES128-GCM-SHA256
AES128-SHA
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA
ECDHE-RSA-AES256-SHA
AES256-GCM-SHA384
AES256-SHA
In builds using BoringSSL FIPS, the default cipher list is:
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES128-SHA
AES128-GCM-SHA256
AES128-SHA
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA
ECDHE-RSA-AES256-SHA
AES256-GCM-SHA384
AES256-SHA
Additionally take a look at this github issue.
Upvotes: 1
Related Questions
- Interop Crypto OpenSslCryptographicException: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
- ssl.SSLError: ('No cipher can be selected.',) - But cipher IS available
- SSL error TLSV1_ALERT_INTERNAL_ERROR with aiohttp library
- Cipher Alogrithm 'AES-256-GCM' Not Found (OpenVPN Error)
- Can't use openssl server because the ciphers are outdated...or something...ERR_SSL_VERSION_OR_CIPHER_MISMATCH
- TLS handshake through Istio ingress gateway fails (tlsMode=passthrough)
- TLSOption CipherSuites does not work on Istio Ingress Gateway
- OpenSSL: error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version
- Python SSL Server - Client Hello w/ only Cipher Suite: TLS_DH_anon_WITH_AES_256_CBC_SHA (0x003a) Fails
- No cipher can be selected