tls: support for ECDSA P-384 and P-521 certificates (#10855) #36369
Mobile/CC (success)
Check has finished
Details
Check run finished (success ✔️)
The check run can be viewed here:
Mobile/CC (pr/36369/main@d1821b2)
Check started by
Request (pr/36369/main@d1821b2)
@anitabyte d1821b2
#36369 merge
main@e3ed5a7
tls: support for ECDSA P-384 and P-521 certificates (#10855)
Commit Message: tls: support for ECDSA P-384 and P-521 certificates (#10855)
Additional Description: Commercial National Security Algorithm Suite (CNSA) requires ECDSA keys be specified with P-384 curves. The assertion that there are no security benefits to curves higher than P-256 is no longer true. This change is intended to limit the adoptable curves to P-384 and P-521.
Risk Level: Medium - removal of limitation of curves to be used for ECDSA certificates, with [potential misconfiguration and DoS risks[(https://github.com//issues/10855#issuecomment-618023133) mentioned in previous discourse on the issue.
Testing: Testing using unit and integration tests
Docs Changes: Changes made to reference that P-384 and P-521 certificates now are useable.
Environment
Request variables
Key | Value |
---|---|
ref | edeba3d |
sha | d1821b2 |
pr | 36369 |
base-sha | e3ed5a7 |
actor | @anitabyte |
message | tls: support for ECDSA P-384 and P-521 certificates (#10855)... |
started | 1727477818.362402 |
target-branch | main |
trusted | false |
Build image
Container image/s (as used in this CI run)
Key | Value |
---|---|
default | envoyproxy/envoy-build-ubuntu:f94a38f62220a2b017878b790b6ea98a0f6c5f9c |
mobile | envoyproxy/envoy-build-ubuntu:mobile-f94a38f62220a2b017878b790b6ea98a0f6c5f9c |
Version
Envoy version (as used in this CI run)
Key | Value |
---|---|
major | 1 |
minor | 32 |
patch | 0 |
dev | true |