Comment 0 for bug 1970993

Revision history for this message
Chris Johnston (cjohnston) wrote :

etcd as provided by the snap and charm utilized the default TLS ciphers as provided by Go. This currently allows for weak ciphers to still be used by default (TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA). This was discussed in depth in an issue upstream [1], in which a change has been made to allow for passing `--cipher-suites` to override the defaults provided by Go.

With this, the snap and the charm should be updated to support a user defined cipher-suites config option which is then passed on to the snap.

[1] https://github.com/etcd-io/etcd/issues/8320