From c031784a61f00c75dbd1ff7d08a88a6266b9da1c Mon Sep 17 00:00:00 2001
From: Michael Johnson <johnsomor@gmail.com>
Date: Thu, 1 May 2025 21:49:22 +0000
Subject: [PATCH] Update the default TLS ciphers list

This patch updates the default TLS ciphers list to reflect the current
recommended ciphers.

Closes-Bug: #2109688
Change-Id: I8da32d633c546b09662ad18ba1eff3007f4a3ccc
---
 octavia/common/constants.py                   | 15 +++++++-----
 ...lt-TLS-cipher-suites-7359fe87fc246618.yaml | 24 +++++++++++++++++++
 2 files changed, 33 insertions(+), 6 deletions(-)
 create mode 100644 releasenotes/notes/Updated-default-TLS-cipher-suites-7359fe87fc246618.yaml

diff --git a/octavia/common/constants.py b/octavia/common/constants.py
index c4f383591e..310fada18d 100644
--- a/octavia/common/constants.py
+++ b/octavia/common/constants.py
@@ -896,13 +896,16 @@ CINDER_ACTION_CREATE_VOLUME = 'create volume'
 NIL_UUID = '00000000-0000-0000-0000-000000000000'
 
 # OpenSSL cipher strings
-CIPHERS_OWASP_SUITE_B = ('TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:'
-                         'TLS_AES_128_GCM_SHA256:DHE-RSA-AES256-GCM-SHA384:'
-                         'DHE-RSA-AES128-GCM-SHA256:'
+CIPHERS_OWASP_SUITE_B = ('TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:'
+                         'TLS_CHACHA20_POLY1305_SHA256:'
+                         'ECDHE-ECDSA-AES128-GCM-SHA256:'
+                         'ECDHE-RSA-AES128-GCM-SHA256:'
+                         'ECDHE-ECDSA-AES256-GCM-SHA384:'
                          'ECDHE-RSA-AES256-GCM-SHA384:'
-                         'ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:'
-                         'DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:'
-                         'ECDHE-RSA-AES128-SHA256')
+                         'ECDHE-ECDSA-CHACHA20-POLY1305:'
+                         'ECDHE-RSA-CHACHA20-POLY1305:'
+                         'DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:'
+                         'DHE-RSA-CHACHA20-POLY1305')
 
 TLS_VERSIONS_OWASP_SUITE_B = [lib_consts.TLS_VERSION_1_2,
                               lib_consts.TLS_VERSION_1_3]
diff --git a/releasenotes/notes/Updated-default-TLS-cipher-suites-7359fe87fc246618.yaml b/releasenotes/notes/Updated-default-TLS-cipher-suites-7359fe87fc246618.yaml
new file mode 100644
index 0000000000..ae751bccf3
--- /dev/null
+++ b/releasenotes/notes/Updated-default-TLS-cipher-suites-7359fe87fc246618.yaml
@@ -0,0 +1,24 @@
+---
+upgrade:
+  - |
+    The default TLS cipher suite list has been updated to the current
+    'intermediate' recommendations. Load balancers will need to be failed over
+    to use the new default list if the operator and user opted for the Octavia
+    default cipher list.
+security:
+  - |
+    Updated the default TLS cipher suites based on current OWASP/Mozilla.org
+    recommendations for Intermediate compatibility. The new default list is\:
+
+    - TLS_AES_128_GCM_SHA256
+    - TLS_AES_256_GCM_SHA384
+    - TLS_CHACHA20_POLY1305_SHA256
+    - ECDHE-ECDSA-AES128-GCM-SHA256
+    - ECDHE-RSA-AES128-GCM-SHA256
+    - ECDHE-ECDSA-AES256-GCM-SHA384
+    - ECDHE-RSA-AES256-GCM-SHA384
+    - ECDHE-ECDSA-CHACHA20-POLY1305
+    - ECDHE-RSA-CHACHA20-POLY1305
+    - DHE-RSA-AES128-GCM-SHA256
+    - DHE-RSA-AES256-GCM-SHA384
+    - DHE-RSA-CHACHA20-POLY1305