From 049b25e566862c627b16a1698ebe68fc1e5b20b2 Mon Sep 17 00:00:00 2001 From: Mark Janssen Date: Mon, 13 Apr 2020 17:46:33 +0200 Subject: [PATCH] Update TLS configuration Enable TLSv1.3 by default and update list of ciphers. The new configuration matches the 'Intermediate' configuration recommended by the Mozilla SSL Configuration Generator: https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=modern&openssl=1.1.1d&guideline=5.4 --- docs/user-guide/nginx-configuration/configmap.md | 9 ++++----- docs/user-guide/tls.md | 10 ++++++---- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/docs/user-guide/nginx-configuration/configmap.md b/docs/user-guide/nginx-configuration/configmap.md index d893782bd..8b7a8dfb5 100755 --- a/docs/user-guide/nginx-configuration/configmap.md +++ b/docs/user-guide/nginx-configuration/configmap.md @@ -76,10 +76,10 @@ The following table shows a configuration option's name, type, and the default v |[proxy-headers-hash-bucket-size](#proxy-headers-hash-bucket-size)|int|64| |[reuse-port](#reuse-port)|bool|"true"| |[server-tokens](#server-tokens)|bool|"true"| -|[ssl-ciphers](#ssl-ciphers)|string|"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"| +|[ssl-ciphers](#ssl-ciphers)|string|"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"| |[ssl-ecdh-curve](#ssl-ecdh-curve)|string|"auto"| |[ssl-dh-param](#ssl-dh-param)|string|""| -|[ssl-protocols](#ssl-protocols)|string|"TLSv1.2"| +|[ssl-protocols](#ssl-protocols)|string|"TLSv1.2 TLSv1.3"| |[ssl-session-cache](#ssl-session-cache)|bool|"true"| |[ssl-session-cache-size](#ssl-session-cache-size)|string|"10m"| |[ssl-session-tickets](#ssl-session-tickets)|bool|"true"| @@ -474,7 +474,7 @@ Send NGINX Server header in responses and display NGINX version in error pages. Sets the [ciphers](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers) list to enable. The ciphers are specified in the format understood by the OpenSSL library. The default cipher list is: - `ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256`. + `ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384`. The ordering of a ciphersuite is very important because it decides which algorithms are going to be selected in priority. The recommendation above prioritizes algorithms that provide perfect [forward secrecy](https://wiki.mozilla.org/Security/Server_Side_TLS#Forward_Secrecy). @@ -499,7 +499,7 @@ _References:_ ## ssl-protocols -Sets the [SSL protocols](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols) to use. The default is: `TLSv1.2`. +Sets the [SSL protocols](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols) to use. The default is: `TLSv1.2 TLSv1.3`. Please check the result of the configuration using `https://ssllabs.com/ssltest/analyze.html` or `https://testssl.sh`. @@ -1055,4 +1055,3 @@ _References:_ Set if proxy-ssl parameters should be applied only on locations and not on servers. _**default:**_ is disabled - diff --git a/docs/user-guide/tls.md b/docs/user-guide/tls.md index e4764de67..097c5c35e 100644 --- a/docs/user-guide/tls.md +++ b/docs/user-guide/tls.md @@ -105,7 +105,7 @@ The first version to fully support Kube-Lego is Nginx Ingress controller 0.8. To provide the most secure baseline configuration possible, -nginx-ingress defaults to using TLS 1.2 only and a [secure set of TLS ciphers][ssl-ciphers]. +nginx-ingress defaults to using TLS 1.2 and 1.3 only, with a [secure set of TLS ciphers][ssl-ciphers]. ### Legacy TLS @@ -117,7 +117,8 @@ are not compatible with nginx-ingress's default configuration. To change this default behavior, use a [ConfigMap][ConfigMap]. -A sample ConfigMap fragment to allow these older clients to connect could look something like the following: +A sample ConfigMap fragment to allow these older clients to connect could look something like the following +(generated using the Mozilla SSL Configuration Generator)[mozilla-ssl-config-old]: ``` kind: ConfigMap @@ -125,8 +126,8 @@ apiVersion: v1 metadata: name: nginx-config data: - ssl-ciphers: "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" - ssl-protocols: "TLSv1 TLSv1.1 TLSv1.2" + ssl-ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA" + ssl-protocols: "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3" ``` @@ -137,3 +138,4 @@ data: [ConfigMap]: ./nginx-configuration/configmap.md [ssl-ciphers]: ./nginx-configuration/configmap.md#ssl-ciphers [SNI]: https://en.wikipedia.org/wiki/Server_Name_Indication +[mozilla-ssl-config-old]: https://ssl-config.mozilla.org/#server=nginx&config=old