tls: Don't fail on min-tls-version 1.3 and specified ciphers.

ormergi · ormergi · commit 84e2b94c9ce5 · 2026-03-17T10:31:14.000+02:00
Blocking when both minimal TLS version is 1.3 and ciphers are specified may break
upgrade path on clusters that use such settings (e.g.: Openshift cluster using
TLSSecurityProfile type Custom, min TLS version 1.3 and ciphers).

Drop the configurable ciphers validation.

Add comment in 'tls-cipher-suites' flag description about how
cipher-suites are affected by 'min-tls-version'.

Signed-off-by: Or Mergi &lt;ormergi@redhat.com&gt;
diff --git a/cmd/main.go b/cmd/main.go
@@ -88,7 +88,8 @@ func main() {
 		"Supported values are tls package constants names (e.g. VersionTLS13), please see "+
 		"https://pkg.go.dev/crypto/tls#pkg-constants")
 	flag.StringVar(&tlsCipherSuitesRaw, "tls-cipher-suites", "",
-		"Comma-separated list of TLS cipher suite names (OpenSSL names. E.g: TLS_AES_128_GCM_SHA256).")
+		"Comma-separated list of TLS cipher suite names (OpenSSL names. E.g: TLS_AES_128_GCM_SHA256)."+
+			"When 'min-tls-version' is 'VersionTLS13', cipher suites are selected by the runtime.")
 	flag.StringVar(&tlsCurvePreferencesRaw, "tls-curve-preferences", "",
 		"Comma-separated list of TLS curve preference names. "+
 			"Supported values are tls package constants names (e.g. CurveP256), please see "+
diff --git a/pkg/config/tls.go b/pkg/config/tls.go
@@ -68,9 +68,6 @@ func ParseTLSOptions(
 	}
 
 	cipherSuiteNames := parseStringSlice(tlsCipherSuitesRaw)
-	if err := validateTLSVersionConfigurableCiphers(tlsMinVersion, cipherSuiteNames); err != nil {
-		return nil, err
-	}
 	cipherSuiteIDs, err := toCipherSuiteIDs(cipherSuiteNames)
 	if err != nil {
 		return nil, err
@@ -107,13 +104,6 @@ func toTLSVersion(tlsVersionName string) (uint16, error) {
 	return tlsVersion, nil
 }
 
-func validateTLSVersionConfigurableCiphers(versionID uint16, cipherSuiteNames []string) error {
-	if versionID == tls.VersionTLS13 && len(cipherSuiteNames) > 0 {
-		return fmt.Errorf("configuring cipher suites for TLS 1.3 is not allowed")
-	}
-	return nil
-}
-
 func toCipherSuiteIDs(cipherSuiteNames []string) ([]uint16, error) {
 	ids, err := getValuesByKeys(tlsCipherSuiteIDByName, cipherSuiteNames)
 	if err != nil {
diff --git a/pkg/config/tls_test.go b/pkg/config/tls_test.go
@@ -65,12 +65,6 @@ var _ = Describe("ParseTLSOptions", func() {
 				ciphers:    "TLS_AES_128_GCM_SHA256",
 			},
 		),
-		Entry("cipher suites are specified and minimal version is 1.3",
-			flags{
-				minVersion: "VersionTLS13",
-				ciphers:    "TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384",
-			},
-		),
 	)
 
 	DescribeTable("should succeed, given",
