![tls config for nutani tls config for nutani](https://www.miele.pl/pmedia/30/Z17/20000142381-000-00_20000142381.jpg)
The RSA method for key exchange has been removed from TLS 1.3 as it does not provide Forward Secrecy.
![tls config for nutani tls config for nutani](https://uploads-us-west-2.insided.com/nutanix-us/attachment/3097i68246EC826297BD1.jpg)
(Note that cipher suites using AES CCM for bulk encryption have been removed from the above, as they are not supported by Go crypto/tls or OpenSSL in RHEL7) However there are a number of TLS 1.2 cipher suites that include methods that are no longer supported in TLS 1.3. Limiting the set to TLS 1.2 cipher suites is a good starting point as it already removes cipher suites from earlier versions with known weak cryptographic primitives like CBC (vulnerable to Lucky13/CVE-2013-0169) and DES/3DES (vulnerable to Sweet32/CVE-2016-2183). Certificate key type), bulk Encryption (Enc) method and Message Authentication (Mac) method. TLS 1.2 Cipher SuitesĪ single cipher suite defines the Key Exchange (Kx) method, Key Exchange Authentication (Au) method (i.e. All configuration options described below should be tested thoroughly before applying in production. By disabling older cipher suites in server side components, one risks preventing older clients from connecting. For these components one can alternatively configure OpenShift components to use the most secure TLS 1.2 options available.Note that a single TLS connection requires both a compatible client AND server. For some OpenShift versions and components, TLS 1.3 is not yet a supported option.
![tls config for nutani tls config for nutani](https://docs.servicenow.com/bundle/rome-it-operations-management/page/product/service-mapping/image/CheckResultNutanixVMware.png)
TLS 1.3 is a significant rewrite of the TLS specification including substantial changes to the handshake protocol, with several performance and security improvements.
![tls config for nutani tls config for nutani](https://i2.wp.com/longwhiteclouds.com/wp-content/uploads/2014/12/automating-vsphere-ssl-cert-mana.jpg)
Where possible, it is advised to use the latest version of TLS, 1.3. This doc is intended as a comparison and overview of TLS configuration options in OpenShift Container Platform 3 and 4.