Google Git
Sign in
fuchsia/third_party/github.com/moby/moby/f06fd6d3c99bb9f8d8067ac60d6cc0e91c67990e^2..f06fd6d3c99bb9f8d8067ac60d6cc0e91c67990e/.
commit
f06fd6d3c99bb9f8d8067ac60d6cc0e91c67990e
[log] [tgz]
author
Sebastiaan van Stijn <thaJeztah@users.noreply.github.com>
Tue Oct 07 23:09:20 2025 +0200
committer
GitHub <noreply@github.com>
Tue Oct 07 23:09:20 2025 +0200
tree
4e7a046e96be2d5c50bd13b65f90c8b6d1cba659
parent
ce61e5777b23a7e5f1364b0d704ad926cedab206 [diff]
parent
7c47f6d83120e5310093d1c448d177a5b15b47bc [diff]
Merge pull request #51117 from austinvazquez/cherry-pick-fix-go-validation-checks-to-25.0

[25.0] Rework Go mod tidy/vendor checks
diff --git a/.github/workflows/arm64.yml b/.github/workflows/arm64.yml
index 704bdd4..1f8c391 100644
--- a/.github/workflows/arm64.yml
+++ b/.github/workflows/arm64.yml

@@ -86,7 +86,7 @@
           targets: dev
           set: |
             *.cache-from=type=gha,scope=dev-arm64
-            *.cache-to=type=gha,scope=dev-arm64,mode=max
+            *.cache-to=type=gha,scope=dev-arm64
             *.output=type=cacheonly
 
   test-unit:

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 8a9b799..da7a31f 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml

@@ -41,6 +41,7 @@
         mode:
           - ""
           - systemd
+          - firewalld
     steps:
       -
         name: Prepare
@@ -58,7 +59,7 @@
           targets: dev
           set: |
             *.cache-from=type=gha,scope=dev${{ matrix.mode }}
-            *.cache-to=type=gha,scope=dev${{ matrix.mode }},mode=max
+            *.cache-to=type=gha,scope=dev${{ matrix.mode }}
             *.output=type=cacheonly
 
   test:

diff --git a/cmd/dockerd/daemon.go b/cmd/dockerd/daemon.go
index 3704042..b1f2688 100644
--- a/cmd/dockerd/daemon.go
+++ b/cmd/dockerd/daemon.go

@@ -9,7 +9,9 @@
 	"os"
 	"path/filepath"
 	"runtime"
+	"slices"
 	"sort"
+	"strconv"
 	"strings"
 	"sync"
 	"time"
@@ -67,6 +69,14 @@
 	"tags.cncf.io/container-device-interface/pkg/cdi"
 )
 
+// strongTLSCiphers defines a secure, modern set of TLS cipher suites for use by the daemon.
+var strongTLSCiphers = []uint16{
+	tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+	tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+	tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+	tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+}
+
 // DaemonCli represents the daemon CLI.
 type DaemonCli struct {
 	*config.Config
@@ -779,6 +789,18 @@
 		if err != nil {
 			return nil, errors.Wrap(err, "invalid TLS configuration")
 		}
+		// Optionally enforce strong TLS ciphers via the environment variable DOCKER_DISABLE_WEAK_CIPHERS.
+		// When set to true, weak TLS ciphers are disabled, restricting the daemon to a modern, secure
+		// subset of cipher suites.
+		if disableWeakCiphers := os.Getenv("DOCKER_DISABLE_WEAK_CIPHERS"); disableWeakCiphers != "" {
+			disable, err := strconv.ParseBool(disableWeakCiphers)
+			if err != nil {
+				return nil, errors.Wrap(err, "invalid value for DOCKER_DISABLE_WEAK_CIPHERS")
+			}
+			if disable {
+				tlsConfig.CipherSuites = slices.Clone(strongTLSCiphers)
+			}
+		}
 	}
 
 	return tlsConfig, nil