Home > Enterprise >  How to configure Ingress backend to work exclusively with TLSv1.3
How to configure Ingress backend to work exclusively with TLSv1.3

Time:11-03

I have an ingress (nginx) that proxies to an application exposing 8443 (SSL) with a self-signed certificate. It works all fine in http but in https I get the following error:

2022/10/31 18:04:28 [error] 39#39: *1855 SSL_do_handshake() failed (SSL: error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:SSL alert number 70) while SSL handshaking to upstream, client: 127.0.0.1, server: _, request: "GET /web-service/ HTTP/2.0", upstream: "https://10.2.1.37:8443/web-service/", host: "localhost:8443"

After a little bit of research I established that my web-service is only supporting:

"TLSv1.3" and "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256:TLS_AE"

I curled in and indeed if I use anything else than explicitly TLSv1.3 I get a similar error. I also force the web service to downgrade to TLSv1.2 and it works but obviously that's not great.

Is there a way to configure the ingress nginx backend configuration to only use TLSv1.3 and these protocols in the ingress itself.

Something like ssl_protocols TLSv1.3; but as an annotation at the backend level? I tried a snippet but it does not seem to be applied at the right level.

Here is my current code:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: hello-world-ingress2
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
    nginx.ingress.kubernetes.io/secure-backends: "true"
    nginx.ingress.kubernetes.io/use-regex: "true"
    nginx.ingress.kubernetes.io/auth-tls-verify-client: "off"
    nginx.ingress.kubernetes.io/rewrite-target: /web-service/$1
spec:
  ingressClassName: nginx
  rules:
  - http:
      paths:
      - path: /web-service/(.*)
        pathType: Prefix
        backend:
          service:
            name: my-web-service
            port:
              number: 8443

CodePudding user response:

Seems you need to add configMap to change the default behavior.

See at the end of following link:

https://kubernetes.github.io/ingress-nginx/user-guide/tls/#default-tls-version-and-ciphers

CodePudding user response:

So apparently there is no solution at the writing this but to downgrade the backend to TLS v1.2. See open ticket https://github.com/kubernetes/ingress-nginx/issues/8257

Page link:https//www.codepudding.com/Enterprise/596770.html

Prev:How to get list of values and not names of variables, in Autolisp
Next:Creating a stacked bar chart (using data from 2 columns)
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding