Home > Back-end >  AKS encrypts connection with TLS 1.3, but we need 1.2. How to configure?
AKS encrypts connection with TLS 1.3, but we need 1.2. How to configure?

Time:02-17

We've an application and API, running on kubernetes on Azure, using an nginx-ingress and cert-manager which automatically creates letsencrypt certificates. The connection to the application/API is encrypted with TLS1.3.

From an older application, running on a Win 2012 server, we want to retrieve data from the API (on k8s). This isn't successful, since TLS1.3 isn't supported on that server.

I'd like to set the minimum version of TLS to 1.2 on kubernetes. How can I achieve that?

I've read, that with kubelet, the tls-min-version can be configured, but I don't know how to apply this.

Note: we use az aks create to create the k8s clusters.

CodePudding user response:

As your win server connects to the application on K8s you have to set the version of TLS on the Nginx ingress level.

Nginx ingress & cert-manager is point where you server connects and access API so you just have to update the TLS version of Nginx.

You can do it by changing the config map for Nginx ingress controller. Also, you might need to update the certificate also, there could be a chance by default Let's encrypt(CA) providing the default TLS 1.3.

So after enabling TLS 1.2 for Nginx you might need to re-generate the cert-manager secret(certificate).

Configmap Nginx ingress controller

kind: ConfigMap
apiVersion: v1
metadata:
  name: nginx-config
  namespace: ingress-nginx
data:
  ssl-ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
  ssl-protocols: "TLSv1.2 TLSv1.3"

above configmap will start both TLS versions for Nginx ingress controller.

  • Related