When the TLS endpoint that calico-typha exposes, the following ciphers are advertised as supported which are considered weak as they do not offer PFS (Perfect Forward Secrecy).

• TLS_RSA_WITH_AES_128_GCM_SHA256
• TLS_RSA_WITH_AES_256_GCM_SHA384

Expected Behavior

Only Ephemeral suites should be used

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Current Behavior

These suites are supported by the server:

• TLS_RSA_WITH_AES_128_GCM_SHA256
• TLS_RSA_WITH_AES_256_GCM_SHA384

Possible Solution

PR to remove the 2x weak ciphers.

Steps to Reproduce (for bugs)

1. Deploy the calico-typha
2. Test the TCP TLS endpoint with a utility such as drwetter's testssl.sh
3. Observe that the two weak ciphers are advertised along with the two recommended / strong ECDHE ciphers.