feat: support host level dynamic setting of tls protocol version

apisix/cli/ngx_tpl.lua

@@ -653,6 +653,10 @@ http {
         }
 
         {% if ssl.enable then %}
+        ssl_client_hello_by_lua_block {
+            apisix.http_ssl_protocols_phase()
+        }
+
         ssl_certificate_by_lua_block {
             apisix.http_ssl_phase()
         }

apisix/init.lua

@@ -178,11 +178,29 @@ end
 
 
 function _M.http_ssl_phase()
+    local ok, err = router.router_ssl.set(ngx.ctx.matched_ssl)
+    if not ok then
+        if err then
+            core.log.error("failed to fetch ssl config: ", err)
+        end
+        ngx_exit(-1)
+    end
+end
+
+function _M.http_ssl_protocols_phase()
+    local ssl_clt = require "ngx.ssl.clienthello"
+    local host, err = ssl_clt.get_client_hello_server_name()
+
+    if err then
+        core.log.error("failed to get the SNI name: ", err)
+        ngx_exit(-1)
+    end
+
     local ngx_ctx = ngx.ctx
     local api_ctx = core.tablepool.fetch("api_ctx", 0, 32)
     ngx_ctx.api_ctx = api_ctx
 
-    local ok, err = router.router_ssl.match_and_set(api_ctx)
+    local ok, err = router.router_ssl.match_and_set(api_ctx, true, host)
 
     ngx_ctx.matched_ssl = api_ctx.matched_ssl
     core.tablepool.release("api_ctx", api_ctx)
@@ -194,8 +212,12 @@ function _M.http_ssl_phase()
         end
         ngx_exit(-1)
     end
-end
 
+    local ssl_protocols = ngx_ctx.matched_ssl.value.ssl_protocols
+    if ssl_protocols then
+        ssl_clt.set_protocols(ssl_protocols)
+    end
+end
 
 local function stash_ngx_ctx()
     local ref = ctxdump.stash_ngx_ctx()

apisix/schema_def.lua

@@ -790,6 +790,15 @@ _M.ssl = {
             enum = {1, 0},
             default = 1
         },
+        ssl_protocols = {
+            description = "set ssl protocols",
+            type = "array",
+            maxItems = 3,
+            uniqueItems = true,
+            items = {
+                enum = {"TLSv1.1","TLSv1.2", "TLSv1.3"}
+            },
+        },
         validity_end = timestamp_def,
         validity_start = timestamp_def,
         create_time = timestamp_def,

apisix/ssl/router/radixtree_sni.lua

@@ -205,13 +205,35 @@ function _M.match_and_set(api_ctx, match_only, alt_sni)
         end
     end
 
-    local matched_ssl = api_ctx.matched_ssl
-    core.log.info("debug - matched: ", core.json.delay_encode(matched_ssl, true))
+    core.log.info("debug - matched: ", core.json.delay_encode(api_ctx.matched_ssl, true))
 
     if match_only then
         return true
     end
 
+    ok, err = _M.set(api_ctx.matched_ssl, sni)
+    if not ok then
+        return false, err
+    end
+
+    return true
+end
+
+
+function _M.set(matched_ssl, sni)
+    if not matched_ssl then
+        return false, "not found any matched ssl certificate"
+    end
+    local err,ok
+    if not sni then
+        sni, err = apisix_ssl.server_name()
+        if type(sni) ~= "string" then
+            local advise = "please check if the client requests via IP or uses an outdated " ..
+                           "protocol. If you need to report an issue, " ..
+                           "provide a packet capture file of the TLS handshake."
+            return false, "failed to find SNI: " .. (err or advise)
+        end
+    end
     ngx_ssl.clear_certs()
 
     local new_ssl_value = secret.fetch_secrets(matched_ssl.value) or matched_ssl.value

docs/en/latest/admin-api.md

@@ -1194,6 +1194,7 @@ SSL resource request address: /apisix/admin/ssls/{id}
 | update_time  | False    | Auxiliary                | Epoch timestamp (in seconds) of the updated time. If missing, this field will be populated automatically.         | 1602883670                                       |
 | type         | False    | Auxiliary            | Identifies the type of certificate, default  `server`.                                                                             | `client` Indicates that the certificate is a client certificate, which is used when APISIX accesses the upstream; `server` Indicates that the certificate is a server-side certificate, which is used by APISIX when verifying client requests.     |
 | status       | False    | Auxiliary                | Enables the current SSL. Set to `1` (enabled) by default.                                                      | `1` to enable, `0` to disable                    |
+| ssl_protocols | False    | An array of ssl protocols               | It is used to control the SSL/TLS protocol version used between servers and clients. Defaults to `["TLSv1.2","TLSv1.3"]`.                                                         |                                                  |
 
 Example Configuration:
 

docs/en/latest/ssl-protocols.md

@@ -0,0 +1,248 @@
+---
+title: SSL Protocol
+---
+
+<!--
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+-->
+
+`APISIX` supports dynamically specifying different TLS protocol versions for each host.
+
+## Configuration instructions
+
+- Static configuration
+The ssl_protocols parameters in the static configuration will apply globally to apisix, but cannot be modified dynamically.
+
+```yaml
+apisix:
+  ssl:
+    ssl_protocols: TLSv1.2 TLSv1.3
+```
+
+- Dynamic resource allocation
+
+Dynamic resource configuration is to create and manage ssl resources through the admin API interface of apisix. The new ssl. ssl_protocols configuration item can control fine grain for the host and dynamically specify the TLS protocol version of each host.
+
+```bash
+# curl http://127.0.0.1:9180/admin/apisix/ssls/1
+{
+    "cert": "$cert",     
+    "key": "$key",      
+    "snis": ["test.com"],   
+    "ssl_protocols": [
+        "TLSv1.2",
+        "TLSv1.3"
+    ]
+}
+```
+
+The configuration will be subject to the ssl resource, and the static configuration will be overwritten . For example, if you set ssl_protocols: TLSv1.2 TLSv1.3 in config.yaml, but set ssl.ssl_protocols: [TLSv1.3] in the resource configuration, then the final apisix will use the TLSv1.3 protocol. Therefore, when using the ssl configuration of apisix, you need to pay attention to the following points:
+
+- SSL resource configuration will override static configuration globally, subject to resource configuration.
+- SSL resource configuration can be modified dynamically, while static configuration requires a restart of apisix to take effect.
+- SSL resource configuration can be controlled according to fine grain sni.
+
+## Usage examples
+
+### Scenario, one-on-one adaptation of multiple TLS protocol versions
+
+In the communication between end point products and servers, we need to consider the TLS protocol compatibility issues of multiple end point products. For example, some old products, old Android phones, TVs and other end point devices, still use the lower-level TLSv1.1 protocol version, while new products use the higher-level TLS protocol version. If the new product supports TLSv1.1, it may bring some security risks. In order to ensure that the product can establish secure communication, we need to adapt between protocol versions.
+As shown in the following example, app.org is the domain name used by the end point device of the old product and needs to be configured as TLSv1.1, while app2.org belongs to the new product and supports the TLSv1.2 and TLSv1.3 protocols.
+
+1. Specify the TLSv1.1 protocol version for app.org legacy products.
+
+```bash
+# curl http://127.0.0.1:9180/admin/apisix/ssls/app
+{
+    "cert": "$app_cert",     
+    "key": "$app_key",      
+    "snis": ["app.org"],
+    "ssl_protocols": [
+        "TLSv1.1"
+    ]
+}
+```
+
+2. app2.org new product line specifies support for the TLSv1.2 and TLSv1.3 protocols.
+
+```bash
+# curl http://127.0.0.1:9180/admin/apisix/ssls/app2
+{
+    "cert": "$app2_cert",     
+    "key": "$app2_key",      
+    "snis": ["app2.org"],
+    "ssl_protocols": [
+        "TLSv1.2"，
+        "TLSv1.3"
+    ]
+}
+curl  --tls-max 1.1 --tlsv1.1 https://app.org  # tls 1.1
+
+curl  --tls-max 1.3 --tlsv1.2 https://app2.org # tls 1.2
+```
+
+### Scenario, two or more domain names use different protocols, but are associated with the same certificate.
+
+Sometimes, we may encounter a scenario where multiple domain names are associated with the same certificate, but they need to use different versions of the TLS protocol to ensure security. For example, test.com domain names need to use the TlSv1.2 protocol, while test2.com domain names need to use the TLSv1.3 protocol. In this case, we cannot simply use the same SSL object for all domain names, but need to create a separate SSL object for each domain name and specify the corresponding protocol version. In this way, we can perform correct SSL handshaking and encrypted communication based on different domain names and protocol versions. An example is as follows:
+
+1. Create ssl object for test.com using certificate and specify TLSv1.2 protocol
+
+```bash
+# curl http://127.0.0.1:9180/admin/apisix/ssls/test
+{
+    "cert": "$cert",     
+    "key": "$key",      
+    "snis": ["test.com"],
+    "ssl_protocols": [
+        "TLSv1.2"
+    ]
+}
+```
+
+2. Using the same certificate as test.com, create an SSL object for test2.com and specify the TLSv1.3 protocol.
+
+```bash
+# curl http://127.0.0.1:9180/admin/apisix/ssls/test2
+{
+    "cert": "$cert",     
+    "key": "$key",      
+    "snis": ["test2.com"],
+    "ssl_protocols": [
+        "TLSv1.3"
+    ]
+}
+```
+
+3. verify
+
+* Successfully to accessed test.com with TLSv1.2 protocol
+
+```shell
+$ curl --tls-max 1.2 --tlsv1.2  https://test.com:9443 -v -k -I
+*   Trying 127.0.0.1:9443...
+* Connected to test.com (127.0.0.1) port 9443 (#0)
+* ALPN, offering h2
+* ALPN, offering http/1.1
+* successfully set certificate verify locations:
+*  CAfile: /etc/ssl/certs/ca-certificates.crt
+*  CApath: /etc/ssl/certs
+* TLSv1.2 (OUT), TLS handshake, Client hello (1):
+* TLSv1.2 (IN), TLS handshake, Server hello (2):
+* TLSv1.2 (IN), TLS handshake, Certificate (11):
+* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
+* TLSv1.2 (IN), TLS handshake, Server finished (14):
+* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
+* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
+* TLSv1.2 (OUT), TLS handshake, Finished (20):
+* TLSv1.2 (IN), TLS handshake, Finished (20):
+* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
+* ALPN, server accepted to use h2
+* Server certificate:
+*  subject: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd; CN=test.com
+*  start date: Jul 20 15:50:08 2023 GMT
+*  expire date: Jul 17 15:50:08 2033 GMT
+*  issuer: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd; CN=test.com
+*  SSL certificate verify result: EE certificate key too weak (66), continuing anyway.
+* Using HTTP2, server supports multi-use
+* Connection state changed (HTTP/2 confirmed)
+* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
+* Using Stream ID: 1 (easy handle 0x5608905ee2e0)
+> HEAD / HTTP/2
+> Host: test.com:9443
+> user-agent: curl/7.74.0
+> accept: */*
+
+```
+
+* Failed to accessed test.com with TLSv1.3 protocol
+
+```shell
+$ curl --tls-max 1.3 --tlsv1.3  https://test.com:9443 -v -k -I 
+*   Trying 127.0.0.1:9443...
+* Connected to test.com (127.0.0.1) port 9443 (#0)
+* ALPN, offering h2
+* ALPN, offering http/1.1
+* successfully set certificate verify locations:
+*  CAfile: /etc/ssl/certs/ca-certificates.crt
+*  CApath: /etc/ssl/certs
+* TLSv1.3 (OUT), TLS handshake, Client hello (1):
+* TLSv1.3 (IN), TLS alert, protocol version (582):
+* error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version
+* Closing connection 0
+curl: (35) error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version
+
+```
+
+* Successfully to accessed test2.com with TLSv1.3 protocol
+
+```shell
+$ curl --tls-max 1.3 --tlsv1.3  https://test2.com:9443 -v -k -I
+*   Trying 127.0.0.1:9443...
+* Connected to test2.com (127.0.0.1) port 9443 (#0)
+* ALPN, offering h2
+* ALPN, offering http/1.1
+* successfully set certificate verify locations:
+*  CAfile: /etc/ssl/certs/ca-certificates.crt
+*  CApath: /etc/ssl/certs
+* TLSv1.3 (OUT), TLS handshake, Client hello (1):
+* TLSv1.3 (IN), TLS handshake, Server hello (2):
+* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
+* TLSv1.3 (IN), TLS handshake, Certificate (11):
+* TLSv1.3 (IN), TLS handshake, CERT verify (15):
+* TLSv1.3 (IN), TLS handshake, Finished (20):
+* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
+* TLSv1.3 (OUT), TLS handshake, Finished (20):
+* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
+* ALPN, server accepted to use h2
+* Server certificate:
+*  subject: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd; CN=test2.com
+*  start date: Jul 20 16:05:47 2023 GMT
+*  expire date: Jul 17 16:05:47 2033 GMT
+*  issuer: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd; CN=test2.com
+*  SSL certificate verify result: EE certificate key too weak (66), continuing anyway.
+* Using HTTP2, server supports multi-use
+* Connection state changed (HTTP/2 confirmed)
+* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
+* Using Stream ID: 1 (easy handle 0x55569cbe42e0)
+> HEAD / HTTP/2
+> Host: test2.com:9443
+> user-agent: curl/7.74.0
+> accept: */*
+> 
+* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
+* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
+* old SSL session ID is stale, removing
+```
+
+* Failed to accessed test2.com with TLSv1.2 protocol
+
+```shell
+$ curl --tls-max 1.2 --tlsv1.2  https://test2.com:9443 -v -k -I
+*   Trying 127.0.0.1:9443...
+* Connected to test2.com (127.0.0.1) port 9443 (#0)
+* ALPN, offering h2
+* ALPN, offering http/1.1
+* successfully set certificate verify locations:
+*  CAfile: /etc/ssl/certs/ca-certificates.crt
+*  CApath: /etc/ssl/certs
+* TLSv1.2 (OUT), TLS handshake, Client hello (1):
+* TLSv1.2 (IN), TLS alert, protocol version (582):
+* error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version
+* Closing connection 0
+curl: (35) error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version
+```

docs/zh/latest/admin-api.md

@@ -1202,6 +1202,7 @@ SSL 资源请求地址：/apisix/admin/ssls/{id}
 | update_time | 否   | 辅助           | epoch 时间戳，单位为秒。如果不指定则自动创建。                                                          | 1602883670                                       |
 | type        | 否   | 辅助           | 标识证书的类型，默认值为 `server`。                                                                     | `client` 表示证书是客户端证书，APISIX 访问上游时使用；`server` 表示证书是服务端证书，APISIX 验证客户端请求时使用。     |
 | status      | 否   | 辅助           | 当设置为 `1` 时，启用此 SSL，默认值为 `1`。                                                               | `1` 表示启用，`0` 表示禁用                       |
+| ssl_protocols | 否    | tls协议字符串数组               | 用于控制服务器与客户端之间使用的 SSL/TLS 协议版本。 默认值为 `["TLSv1.2","TLSv1.3"]`.                                                         |                                                  |
 
 SSL 对象 JSON 配置示例：