Skip to content

🌱 Update TLS profiles to Mozilla guidelines v5.8 #2631

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
openshift-merge-bot merged 1 commit into from
Apr 7, 2026
Merged

🌱 Update TLS profiles to Mozilla guidelines v5.8 #2631

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 6 additions & 2 deletions hack/tools/update-tls-profiles.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ if [ -z "${JQ}" ]; then
fi

OUTPUT=internal/shared/util/tlsprofiles/mozilla_data.go
INPUT=https://ssl-config.mozilla.org/guidelines/latest.json
INPUT=https://ssl-config.mozilla.org/guidelines/5.8.json

Comment on lines 10 to 12
Copy link

Copilot AI Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR metadata/title mentions updating to Mozilla TLS guidelines v6.0, but this script is pinned to guidelines/5.8.json (and the generated mozilla_data.go reports DATA VERSION 5.8). Please align the PR title/description with the actual pinned version, or update the script/data generation to the intended v6.0 source URL/version so make verify stays consistent with the stated change.

Copilot uses AI. Check for mistakes.
TMPFILE="$(mktemp)"
trap 'rm -rf "$TMPFILE"' EXIT
Expand Down Expand Up @@ -38,7 +38,7 @@ cipherNums: []uint16{
EOF

${JQ} -r ".configurations.$1.ciphersuites.[] | . |= \"tls.\" + . + \",\"" ${TMPFILE} >> ${OUTPUT}
${JQ} -r ".configurations.$1.ciphers.go[] | . |= \"tls.\" + . + \",\"" ${TMPFILE} >> ${OUTPUT}
${JQ} -r ".configurations.$1.ciphers.iana[] | . |= \"tls.\" + . + \",\"" ${TMPFILE} >> ${OUTPUT}

cat >> ${OUTPUT} <<EOF
},
Expand All @@ -65,5 +65,9 @@ generate_profile "modern"
generate_profile "intermediate"
generate_profile "old"

# Remove unsupported ciphers from Go's crypto/tls package (Mozilla v5.8 includes these but Go doesn't support them)
sed -i.bak '/TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384/d; /TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384/d; /TLS_RSA_WITH_AES_256_CBC_SHA256/d' ${OUTPUT}
rm -f ${OUTPUT}.bak

# Make go happy
go fmt ${OUTPUT}
15 changes: 9 additions & 6 deletions internal/shared/util/tlsprofiles/mozilla_data.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
package tlsprofiles

// DO NOT EDIT, GENERATED BY hack/tools/update-tls-profiles.sh
// DATA SOURCE: https://ssl-config.mozilla.org/guidelines/latest.json
// DATA VERSION: 5.7
// DATA SOURCE: https://ssl-config.mozilla.org/guidelines/5.8.json
// DATA VERSION: 5.8

Comment thread
camilamacedo86 marked this conversation as resolved.
import (
"crypto/tls"
Expand All @@ -18,6 +18,7 @@ var modernTLSProfile = tlsProfile{
},
curves: curveSlice{
curveNums: []tls.CurveID{
X25519MLKEM768,
X25519,
prime256v1,
secp384r1,
Comment thread
camilamacedo86 marked this conversation as resolved.
Expand All @@ -36,12 +37,13 @@ var intermediateTLSProfile = tlsProfile{
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
},
},
curves: curveSlice{
curveNums: []tls.CurveID{
X25519MLKEM768,
X25519,
prime256v1,
secp384r1,
Expand All @@ -60,8 +62,8 @@ var oldTLSProfile = tlsProfile{
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
Expand All @@ -78,6 +80,7 @@ var oldTLSProfile = tlsProfile{
},
curves: curveSlice{
curveNums: []tls.CurveID{
X25519MLKEM768,
X25519,
prime256v1,
secp384r1,
Expand Down
18 changes: 10 additions & 8 deletions internal/shared/util/tlsprofiles/tlsprofiles.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,17 +69,19 @@ func cipherSuiteId(name string) uint16 {

// This is primarily so that we don't have to rewrite curve values in mozilla_data.go
const (
X25519 tls.CurveID = tls.X25519
prime256v1 tls.CurveID = tls.CurveP256
secp384r1 tls.CurveID = tls.CurveP384
secp521r1 tls.CurveID = tls.CurveP521
X25519MLKEM768 tls.CurveID = tls.X25519MLKEM768
X25519 tls.CurveID = tls.X25519
prime256v1 tls.CurveID = tls.CurveP256
secp384r1 tls.CurveID = tls.CurveP384
Comment thread
camilamacedo86 marked this conversation as resolved.
secp521r1 tls.CurveID = tls.CurveP521
)

var curves = map[string]tls.CurveID{
"X25519": tls.X25519,
"prime256v1": tls.CurveP256,
"secp384r1": tls.CurveP384,
"secp521r1": tls.CurveP521,
"X25519MLKEM768": tls.X25519MLKEM768,
"X25519": tls.X25519,
"prime256v1": tls.CurveP256,
"secp384r1": tls.CurveP384,
"secp521r1": tls.CurveP521,
}
Comment on lines 70 to 85
Copy link

Copilot AI Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

New curve support (X25519MLKEM768) is added here, but there is no test that curveId/curveSlice.Set accepts this new value. Consider extending the existing TLS profile flag/unit tests to include X25519MLKEM768 so regressions in curve parsing are caught.

Copilot uses AI. Check for mistakes.

// Returns 0 for an invalid curve name
Expand Down
Loading