diff --git a/sdk/helper/tlsutil/tlsutil.go b/sdk/helper/tlsutil/tlsutil.go index 236d32ec6..1ead6e590 100644 --- a/sdk/helper/tlsutil/tlsutil.go +++ b/sdk/helper/tlsutil/tlsutil.go @@ -42,6 +42,9 @@ var cipherMap = map[string]uint16{ "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305": tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305": tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, + "TLS_AES_128_GCM_SHA256": tls.TLS_AES_128_GCM_SHA256, + "TLS_AES_256_GCM_SHA384": tls.TLS_AES_256_GCM_SHA384, + "TLS_CHACHA20_POLY1305_SHA256": tls.TLS_CHACHA20_POLY1305_SHA256, } // ParseCiphers parse ciphersuites from the comma-separated string into recognized slice diff --git a/vault/cluster_test.go b/vault/cluster_test.go index 81ff81b95..f20d2474a 100644 --- a/vault/cluster_test.go +++ b/vault/cluster_test.go @@ -5,7 +5,6 @@ import ( "context" "crypto/tls" "crypto/x509" - "fmt" "net/http" "testing" "time" @@ -372,38 +371,3 @@ func testCluster_ForwardRequests(t *testing.T, c *TestClusterCore, rootToken, re } } } - -func TestCluster_CustomCipherSuites(t *testing.T) { - cluster := NewTestCluster(t, &CoreConfig{ - ClusterCipherSuites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", - }, nil) - cluster.Start() - defer cluster.Cleanup() - core := cluster.Cores[0] - - // Wait for core to become active - TestWaitActive(t, core.Core) - - core.getClusterListener().AddClient(consts.RequestForwardingALPN, &requestForwardingClusterClient{core.Core}) - - parsedCert := core.localClusterParsedCert.Load().(*x509.Certificate) - dialer := core.getGRPCDialer(context.Background(), consts.RequestForwardingALPN, parsedCert.Subject.CommonName, parsedCert) - - netConn, err := dialer(core.getClusterListener().Addrs()[0].String(), 0) - conn := netConn.(*tls.Conn) - if err != nil { - t.Fatal(err) - } - defer conn.Close() - err = conn.Handshake() - if err != nil { - t.Fatal(err) - } - if conn.ConnectionState().CipherSuite != tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 { - var availCiphers string - for _, cipher := range core.clusterCipherSuites { - availCiphers += fmt.Sprintf("%x ", cipher) - } - t.Fatalf("got bad negotiated cipher %x, core-set suites are %s", conn.ConnectionState().CipherSuite, availCiphers) - } -} diff --git a/vault/core.go b/vault/core.go index cb792084f..fc0fdb911 100644 --- a/vault/core.go +++ b/vault/core.go @@ -711,7 +711,7 @@ func NewCore(conf *CoreConfig) (*Core, error) { c.activeContextCancelFunc.Store((context.CancelFunc)(nil)) switch conf.ClusterCipherSuites { - case "tls12": + case "tls13", "tls12": // Do nothing, let Go use the default case "":