Kubernetes: Disable TLS 1.0 and 1.1 on nginx ingress - PhpOut

vjwilson
October 11, 2021
285 views
1 vote
2 Answers

An existing nginx ingress named nginx-proxy running on the K8 cluster.

Now, there is a requirement from the Dev team to disable TLS 1.0, 1.1 support.

Upon searching, I could see this solution using configmap.

Do you think applying/creating a new configmap as follows to an existing nginx ingress helps me to resolve the issue?

kind: ConfigMap
apiVersion: v1
metadata:
  name: nginx-proxy
data:
  ssl-protocols: "TLSv1.2 TLSv1.3"

Adding a new configmap like that to an existing nginx ingress breaks anything?. Because this is for the production website.

A piece of advice would be really helpful.

Tags: configmap kubernetes kubernetes-ingress nginx-ingress

Answers

- user15659347
- October 12, 2021 at 6:31 pm
- 0 votes
0
To provide the most secure baseline configuration possible,

nginx-ingress defaults to using TLS 1.2 and 1.3 only, with a secure set of TLS ciphers. ^[source]

It seems ingress-nginx uses TLS 1.2 and 1.3 only by default. The snippet you added to your question can be used to enable older TLS versions – like 1.0 and 1.1.
```
kind: ConfigMap
apiVersion: v1
metadata:
  name: nginx-config
data:
  ssl-ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
  ssl-protocols: "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3"
```
^[source]

You can check which versions of TLS (and ciphers) are enabled by issuing
```
nmap --script ssl-enum-ciphers -p 443 <ingress-nginx>
```
replace <ingress-nginx> with your ingress IP.
Login or Signup to reply.

- HarshManvar
- October 12, 2021 at 8:21 pm
- 0 votes
0
You can follow this official document or disabling the TLS 1.0
```
kind: ConfigMap
apiVersion: v1
metadata:
  name: nginx-config
data:
  ssl-ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
  ssl-protocols: "TLSv1.2 TLSv1.3"
```
You need to update the ciphers also as perversion instead of using the default one.

You can try with the above configmap.

Also, I would recommend updating the SSL/TLS cert if you using in ingress.

If you are using the cert-manager please try deleting the secret which containing the SSL/TLS cert for ingress endpoint and try getting the cert again using the cert-manager once.
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.