OpenZiti mTLS Ciphersuites and pki

Hello,

I have 3 questions regarding the ciphersuites used by mTLS in OpenZiti and the pki.

  • What are the default ciphersuites accepted by mTLS in OpenZiti ?
  • Is it possible to modify these settings ?
  • Is it possible to change the algorithm to generate the keys used by the pki (RSA, ECC, …) ?

I noticed it’s possible to change the TLS min/max versions in the controller yaml configuration file.

Thank you !

Probaly want @andrew.martinez to weigh in and agree/confirm/correct this response....

I believe they are enumerated here: https://github.com/openziti/foundation/blob/main/tlz/cipher.go Looks to me like it's these:

tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,

I didn't see any configuration options, but it's sometimes hard to find if you don't know where to look. I'll get @andrew.martinez to comment, I expect he'll know where to look/verify

Right now, it looks like ziti pki create (which is what our quickstart uses to generate the PKI) only uses RSA keys and I don't see an option yet to use EC.

It was pointed out to me that @andrew.martinez already documented the cipher suites. I had forgotten about it. Also aligns with my reply, thankfully. :wink:

See: Connection Security | OpenZiti

@TheLumberjack

Amazing, thank you for your detailed answer !