Merge pull request #47344 from rh-tokeefe/OSSMDOC-602

OSSMDOC-602: updated cipher suite doc for SMCP v2

Author: JStickler

modules/ossm-security-cipher-1x.adoc

@@ -0,0 +1,47 @@
+// Module included in the following assemblies:
+//
+// * service_mesh/v1x/ossm-security.adoc
+
+[id="ossm-security-cipher-1x_{context}"]
+= Configuring cipher suites and ECDH curves
+
+Cipher suites and Elliptic-curve Diffie–Hellman (ECDH curves) can help you secure your service mesh. You can define a comma separated list of cipher suites using `spec.istio.global.tls.cipherSuites` and ECDH curves using `spec.istio.global.tls.ecdhCurves` in your `ServiceMeshControlPlane` resource. If either of these attributes are empty, then the default values are used.
+
+The `cipherSuites` setting is effective if your service mesh uses TLS 1.2 or earlier. It has no effect when negotiating with TLS 1.3.
+
+Set your cipher suites in the comma separated list in order of priority. For example, `ecdhCurves: CurveP256, CurveP384` sets `CurveP256` as a higher priority than `CurveP384`.
+
+[NOTE]
+====
+You must include either `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256` or  `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256` when you configure the cipher suite. HTTP/2 support requires at least one of these cipher suites.
+
+====
+
+The supported cipher suites are:
+
+* TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+* TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+* TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+* TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+* TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
+* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
+* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
+* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
+* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
+* TLS_RSA_WITH_AES_128_GCM_SHA256
+* TLS_RSA_WITH_AES_256_GCM_SHA384
+* TLS_RSA_WITH_AES_128_CBC_SHA256
+* TLS_RSA_WITH_AES_128_CBC_SHA
+* TLS_RSA_WITH_AES_256_CBC_SHA
+* TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
+* TLS_RSA_WITH_3DES_EDE_CBC_SHA
+
+The supported ECDH Curves are:
+
+* CurveP256
+* CurveP384
+* CurveP521
+* X25519

modules/ossm-security-cipher.adoc

@@ -1,12 +1,11 @@
 // Module included in the following assemblies:
 //
-// * service_mesh/v1x/ossm-security.adoc
 // * service_mesh/v2x/ossm-security.adoc
 
 [id="ossm-security-cipher_{context}"]
 = Configuring cipher suites and ECDH curves
 
-Cipher suites and Elliptic-curve Diffie–Hellman (ECDH curves) can help you secure your service mesh. You can define a comma separated list of cipher suites using `spec.istio.global.tls.cipherSuites` and ECDH curves using `spec.istio.global.tls.ecdhCurves` in your `ServiceMeshControlPlane` resource. If either of these attributes are empty, then the default values are used.
+Cipher suites and Elliptic-curve Diffie–Hellman (ECDH curves) can help you secure your service mesh. You can define a comma separated list of cipher suites using `spec.security.controlplane.tls.cipherSuites` and ECDH curves using `spec.security.controlplane.tls.ecdhCurves` in your `ServiceMeshControlPlane` resource. If either of these attributes are empty, then the default values are used.
 
 The `cipherSuites` setting is effective if your service mesh uses TLS 1.2 or earlier. It has no effect when negotiating with TLS 1.3.
 

service_mesh/v1x/ossm-security.adoc

@@ -12,6 +12,6 @@ If your service mesh application is constructed with a complex array of microser
 
 include::modules/ossm-security-mtls-1x.adoc[leveloffset=+1]
 
-include::modules/ossm-security-cipher.adoc[leveloffset=+1]
+include::modules/ossm-security-cipher-1x.adoc[leveloffset=+1]
 
 include::modules/ossm-security-cert-manage.adoc[leveloffset=+1]