Merge pull request #4412 from Shopify/ssl-early-data

Add nginx ssl_early_data option support
2019-08-15 10:08:35 -07:00 · 2019-08-15 10:08:35 -07:00 · 0b375989f3
commit 0b375989f3
parent 6948cd7d65 7219130da4
3 changed files with 19 additions and 0 deletions
--- a/docs/user-guide/nginx-configuration/configmap.md
+++ b/docs/user-guide/nginx-configuration/configmap.md
@ -481,6 +481,14 @@ Sets the [SSL protocols](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#

 Please check the result of the configuration using `https://ssllabs.com/ssltest/analyze.html` or `https://testssl.sh`.

+## ssl-early-data
+
+Enables or disables TLS 1.3 [early data](https://tools.ietf.org/html/rfc8446#section-2.3)
+
+This requires `ssl-protocols` to have `TLSv1.3` enabled.
+
+[ssl_early_data](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data). The default is: `false`.
+
 ## ssl-session-cache

 Enables or disables the use of shared [SSL cache](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache) among worker processes.
--- a/internal/ingress/controller/config/config.go
+++ b/internal/ingress/controller/config/config.go
@ -73,6 +73,10 @@ const (
 	// http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols
 	sslProtocols = "TLSv1.2"

+	// Disable TLS 1.3 early data
+	// http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data
+	sslEarlyData = false
+
 	// Time during which a client may reuse the session parameters stored in a cache.
 	// http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_timeout
 	sslSessionTimeout = "10m"
@ -310,6 +314,10 @@ type Configuration struct {
 	// http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols
 	SSLProtocols string `json:"ssl-protocols,omitempty"`

+	// Enables or disable TLS 1.3 early data.
+	// http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data
+	SSLEarlyData bool `json:"ssl-early-data,omitempty"`
+
 	// Enables or disables the use of shared SSL cache among worker processes.
 	// http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache
 	SSLSessionCache bool `json:"ssl-session-cache,omitempty"`
@ -682,6 +690,7 @@ func NewDefault() Configuration {
 		SSLCiphers:                       sslCiphers,
 		SSLECDHCurve:                     "auto",
 		SSLProtocols:                     sslProtocols,
+		SSLEarlyData:                     sslEarlyData,
 		SSLSessionCache:                  true,
 		SSLSessionCacheSize:              sslSessionCacheSize,
 		SSLSessionTickets:                true,
--- a/rootfs/etc/nginx/template/nginx.tmpl
+++ b/rootfs/etc/nginx/template/nginx.tmpl
@ -351,6 +351,8 @@ http {

    ssl_protocols {{ $cfg.SSLProtocols }};

+    ssl_early_data {{ if $cfg.SSLEarlyData }}on{{ else }}off{{ end }};
+
    # turn on session caching to drastically improve performance
    {{ if $cfg.SSLSessionCache }}
    ssl_session_cache builtin:1000 shared:SSL:{{ $cfg.SSLSessionCacheSize }};