skip to Main Content

An existing nginx ingress named nginx-proxy running on the K8 cluster.

Now, there is a requirement from the Dev team to disable TLS 1.0, 1.1 support.

Upon searching, I could see this solution using configmap.

Do you think applying/creating a new configmap as follows to an existing nginx ingress helps me to resolve the issue?

kind: ConfigMap
apiVersion: v1
metadata:
  name: nginx-proxy
data:
  ssl-protocols: "TLSv1.2 TLSv1.3"

Adding a new configmap like that to an existing nginx ingress breaks anything?. Because this is for the production website.

A piece of advice would be really helpful.

2

Answers


  1. To provide the most secure baseline configuration possible,

    nginx-ingress defaults to using TLS 1.2 and 1.3 only, with a secure set of TLS ciphers. [source]

    It seems ingress-nginx uses TLS 1.2 and 1.3 only by default. The snippet you added to your question can be used to enable older TLS versions – like 1.0 and 1.1.

    kind: ConfigMap
    apiVersion: v1
    metadata:
      name: nginx-config
    data:
      ssl-ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
      ssl-protocols: "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3"
    

    [source]

    You can check which versions of TLS (and ciphers) are enabled by issuing

    nmap --script ssl-enum-ciphers -p 443 <ingress-nginx>
    

    replace <ingress-nginx> with your ingress IP.

    Login or Signup to reply.
  2. You can follow this official document or disabling the TLS 1.0

    kind: ConfigMap
    apiVersion: v1
    metadata:
      name: nginx-config
    data:
      ssl-ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
      ssl-protocols: "TLSv1.2 TLSv1.3"
    

    You need to update the ciphers also as perversion instead of using the default one.

    You can try with the above configmap.

    Also, I would recommend updating the SSL/TLS cert if you using in ingress.

    If you are using the cert-manager please try deleting the secret which containing the SSL/TLS cert for ingress endpoint and try getting the cert again using the cert-manager once.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search