-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLSv1.3 ciphers/ciphersuites cannot be changed #8507
Comments
@ldawert-sys11: This issue is currently awaiting triage. If Ingress contributors determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
Those other ciphers don't exist for TLSv1.3; why would you want them? From OpenSSL docs: "Note that changing the TLSv1.2 and below cipher list has no impact on the TLSv1.3 ciphersuite configuration." |
I was trying to do something similar to this today because I'm having trouble connecting to a TLS enabled gRPC service via ingress-nginx. The backend only supports TLS 1.3, and I can connect to it via port-forward. nginx is failing with the following in the logs:
I then ran
I'm not seeing |
No, that's the list of ciphers supported by the client, not the server. The ServerHello tells you which of those NGinX decided to use, in this case it rejected all of them. |
@UnrealCraig ah your totally right, I mixed up the client/server hellos. Then it seems it's failing due to protocol_version. Looking at the docs for
|
Yep that was it. So gRPC TLS backends that only support tls 1.3 fail because the default grpc_ssl_protocols doesn't have tls 1.3 enabled. The following worked for gRPC with TLS termination at ingress, with TLS enabled on the backend:
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
I don't see how the gRPC solution is related to mine as there's no GRPC involved and the Backends are also not queried via TLS but rather plain HTTP.
I want to configure TLSv1.2 ciphers AND TLSv1.3 ciphersuites.
Could you please elaborate a bit more on this? Maybe give an example that I can try out for the naming?
I know - however as said I would like to adjust both TLSv1.2 and TLSv1.3 settings. Thanks in advance for your help! /remove-lifecycle rotten |
@ldawert-sys11 your original configuration looks correct, but notably it sets the TLS ciphers for the server block for your I.e. was nmap sending the correct Server Name Indication (SNI) value in the TLS ClientHello record? According to the nmap ssl-enum-ciphers documentation, the E.g. is the test result what you expect if you instead run:
I'd also suggest adding your |
Hi @jstangroome, I tried both:
I tried it with the
Als no success with this one. Behaviour was still the same. |
It's very frustrating that this is not in the docs, because they make it look like TLS_1.2 and 1.3 can be configured together: I would love to see this at least mentioned in the docs somewhere, but the config directive of 'ssl-ciphers' will only apply to TLS_1.2 (and earlier). For TLS_1.3 you have to use a generic http config directive called http-snippet that allows you to drop in any raw nginx config (and hope it's formatted correctly). This is what we have tested to work (from the ingress-nginx CM) ssl-ciphers: ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256 note the ';' at the end of the http-snippet line. |
@razholio There is not enough resources so sometimes it takes too long. If you submit a PR for fixing the docs, I am sure it will get appropriate attention. |
TLSv1.2 not supported too ....... |
only TLSv1 and TLSv1.3 can work😓 |
Hi, Can someone here say for sure that this method https://kubernetes.github.io/ingress-nginx/user-guide/tls/#default-tls-version-and-ciphers is invalid for configuring both the TLS version and also the cipher suits ! I did a test and I can see that out of the box, this is what is offered So I would assume that as of today, this is not a bug. Please re-open with data on the current release of the controller and any other findings, if my assessment is not true about being able to configure TLS v1.3 and the cipher suite via configMap or the annotation. For now I will close the issue as there are too many open issues that are inactive so skewing the info on hwat we are tracking as action-items. /close |
@longwuyuan: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
NGINX Ingress controller version: Release v1.1.2, build bab0fba, NGINX version nginx/1.19.9
Kubernetes version: v1.21.3
Environment:
kubectl version
:kubectl get nodes -o wide
kubectl get nodes
helm ls -A | grep -i ingress
:helm -n <ingresscontrollernamepspace> get values <helmreleasename>
helm install values
kubectl describe ingressclasses
kubectl describe ingressclasses
kubectl -n <ingresscontrollernamespace> get all -A -o wide
kubectl get all
kubectl -n <ingresscontrollernamespace> describe po <ingresscontrollerpodname>
kubectl describe pod
kubectl -n <ingresscontrollernamespace> describe svc <ingresscontrollerservicename>
kubectl describe svc
kubectl -n <appnnamespace> get all,ing -o wide
kubectl get all,ing -n APP-NS
kubectl -n <appnamespace> describe ing <ingressname>
kubectl describe ing test-ingress
What happened:
Trying to configure TLSv1.3 ciphers with:
The configuration made by the server-snippet is loaded correctly into the ingress controller pod into the server config block:
However when testing the TLS ciphers for example with
nmap
it shows that still the default ciphers for TLSv1.3 are being used:What you expected to happen:
Setting
ssl_conf_command Ciphersuites
vianginx.ingress.kubernetes.io/server-snippet
should configure the used TLSv1.3 ciphers for the server block it is configured in.How to reproduce it:
create app
create ingress
create debugging pod
check ciphers
The text was updated successfully, but these errors were encountered: