vault-charm

Charm does not allow a user to use specific TLS cipher suites supported by vault

Bug #2002418 reported by Marcin Wilk on 2023-01-10

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	vault-charm	Triaged	Wishlist	Unassigned

Bug Description

The vault application supports 'tls_cipher_suites' tcp listener config option [1] that allows an administrator to specify explicitly which cipher suites should be used. This allows to eliminate weaker, vulnerable suites (ie. those with DES/3DES which are still supported by vault/golang [2]).
It might be useful to expose 'tls_cipher_suites' configuration parameter via charm config option allowing a charm user to provide an explicit list of the suites he wants.
The same may apply to other tcp listener options, ie: 'tls_prefer_server_cipher_suites'[3] or 'tls_min_version'[4].

[1] https://developer.hashicorp.com/vault/docs/configuration/listener/tcp#tls_cipher_suites
[2] https://go.dev/src/crypto/tls/cipher_suites.go
[3] https://developer.hashicorp.com/vault/docs/configuration/listener/tcp#tls_prefer_server_cipher_suites
[4] https://developer.hashicorp.com/vault/docs/configuration/listener/tcp#tls_min_version

Corey Bryant (corey.bryant) on 2023-06-16

Changed in vault-charm:
status:	New → Triaged
importance:	Undecided → Wishlist

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.