Print warning when 'tls_cipher_suites' includes only blacklisted cipher suites #6300
Conversation
…tes which are not supprted by the HTTP/2 spec
|
Unfortunately this won't solve the original problem, because they aren't using only blacklisted ciphers, they're using some -- and since they're not including the compatibility one mandated in the HTTP/2 spec, there is no compatible set of ciphers. I think the behavior needs to be:
|
…sted. Added warning when some ciphers are blacklisted.
|
@jefferai Please have another look 😄 |
command/server/listener.go
Outdated
| } | ||
| } | ||
| if badCiphersCount == len(ciphers) { | ||
| return nil, nil, nil, errors.New("all defined cipher suites by 'tls_cipher_suites' are blacklisted by the HTTP/2 specification") |
There was a problem hiding this comment.
I'm wavering on whether this should be an error or a warning. If their client is also appropriately configured things could still work even if it's out of spec. I'm leaning towards this being a warning as well, WDYT?
There was a problem hiding this comment.
I agree. I think some people will be frustrated if Vault will not start because of this and since HTTP/2 is still new for many enterprise companies it might be worth to stick to a warning instead of a hard failure.
…and replaced it by external library.
HTTP/2 with TLS 1.2 blacklists several cipher suites: https://tools.ietf.org/html/rfc7540#appendix-A
I added a warning which will be printed to the screen when all configured cipher suites (e.g. 'tls_cipher_suites') are blacklisted.
Since the CLI (net/http) automatically uses HTTP/2 with TLS 1.2, the CLI will stop working if all configured cipher suites are blacklisted.
Output format:
