Meh
July 20, 2023, 6:49am
1
Hello,
I have 3 questions regarding the ciphersuites used by mTLS in OpenZiti and the pki.
What are the default ciphersuites accepted by mTLS in OpenZiti ?
Is it possible to modify these settings ?
Is it possible to change the algorithm to generate the keys used by the pki (RSA, ECC, …) ?
I noticed it’s possible to change the TLS min/max versions in the controller yaml configuration file.
Thank you !
Probaly want @andrew.martinez to weigh in and agree/confirm/correct this response....
Meh:
What are the default ciphersuites accepted by mTLS in OpenZiti ?
I believe they are enumerated here: https://github.com/openziti/foundation/blob/main/tlz/cipher.go Looks to me like it's these:
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
Meh:
Is it possible to modify these settings ?
I didn't see any configuration options, but it's sometimes hard to find if you don't know where to look. I'll get @andrew.martinez to comment, I expect he'll know where to look/verify
Meh:
Is it possible to change the algorithm to generate the keys used by the pki (RSA, ECC, …) ?
Right now, it looks like ziti pki create
(which is what our quickstart uses to generate the PKI) only uses RSA keys and I don't see an option yet to use EC.
It was pointed out to me that @andrew.martinez already documented the cipher suites. I had forgotten about it. Also aligns with my reply, thankfully.
See: Connection Security | OpenZiti
Meh
July 20, 2023, 12:17pm
4
@TheLumberjack
Amazing, thank you for your detailed answer !