Envoy Failed to initialize cipher suites

[drzdbd1]

Envoy reports "Failed to initialize cipher suites" when cipher_suites are specified

Description:
I use Istio as service mesh framework, which injects Envoy as sidecar to pods. When I specified "cipherSuites" through Istio, I saw this error reported by Envoy and TLS negotiation failed. I see "AES128-GCM-SHA256" is supported by either build here and wonder whether its has something to do with my configuration?

Version I'm running:
"version": "2369b2f31802ab74d942462ed21a00e3a38de2c5/1.12.0/Clean/RELEASE/BoringSSL"

[Envoy (Epoch 0)] [2020-04-13 20:59:40.085][19][warning][config] [external/envoy/source/common/config/grpc_mux_subscription_impl.cc:82] gRPC config for type.googleapis.com/envoy.api.v2.auth.Secret rejected: Failed to initialize cipher suites TLS_AES_128_GCM_SHA256. The following ciphers were rejected when tried individually: TLS_AES_128_GCM_SHA256

And the configuration Istio passed to Envoy seems correct to me.

"tlsContext": {
"commonTlsContext": {
"tlsParams": {
"tlsMinimumProtocolVersion": "TLSv1_2",
"cipherSuites": [
"TLS_AES_128_GCM_SHA256"
]
},
"tlsCertificateSdsSecretConfigs": [
{
"name": "myservice-ppe",
"sdsConfig": {
"apiConfigSource": {
"apiType": "GRPC",
"grpcServices": [
{
"googleGrpc": {
"targetUri": "unix:/var/run/ingress_gateway/sds",
"statPrefix": "sdsstat"
}
}
]
}
}
}
],
"alpnProtocols": [
"h2",
"http/1.1"
]
},
"requireClientCertificate": false
}

[yanavlasov]

@PiotrSikora do you have any insight into why this cipher is rejected?

[drzdbd1]

@PiotrSikora @yanavlasov any ideas how I could troubleshoot this issue? The error seems unrelated to specific ciphers, it would appear regardless of which cipher.

[PiotrSikora]

TLS_AES_128_GCM_SHA256 is TLS 1.3 cipher suite (and those are hardcoded, and not configurable), but you're trying to use it with TLS 1.2, where it doesn't exist.

Valid (configurable) cipher suites are:

$ bssl ciphers ALL
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_PSK_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_PSK_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

[drzdbd1]

ah thanks, I verified it worked for me. Is there a way we can add new cipher suites to the supported list?

[stale]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or other activity occurs. Thank you for your contributions.

[stale]

This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted". Thank you for your contributions.