From e050ff1b9f180364f5e50ea1f06a40dc152ffcd1 Mon Sep 17 00:00:00 2001 From: Elvin Efendi Date: Fri, 18 Sep 2020 00:08:00 -0400 Subject: [PATCH] disable session tickets by default --- docs/deploy/hardening-guide.md | 2 +- docs/user-guide/nginx-configuration/configmap.md | 2 +- internal/ingress/controller/config/config.go | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/deploy/hardening-guide.md b/docs/deploy/hardening-guide.md index d09b31cff..de3464511 100644 --- a/docs/deploy/hardening-guide.md +++ b/docs/deploy/hardening-guide.md @@ -88,7 +88,7 @@ This guide refers to chapters in the CIS Benchmark. For full explanation you sho | 4.1.10 Ensure upstream server traffic is authenticated with a client certificate (Scored) | DEPENDS ON BACKEND | Highly dependend on backends, not every backend allows configuring this, can also be mitigated via a service mesh| If backend allows it, [manual is here](https://kubernetes.github.io/ingress-nginx/examples/auth/client-certs/)| | 4.1.11 Ensure the upstream traffic server certificate is trusted (Not Scored) | DEPENDS ON BACKEND | Highly dependend on backends, not every backend allows configuring this, can also be mitigated via a service mesh| If backend allows it, [see configuration here](https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md#backend-certificate-authentication) | | 4.1.12 Ensure your domain is preloaded (Not Scored) | ACTION NEEDED| Preload is not active by default | Set controller.config.hsts-preload to true| -| 4.1.13 Ensure session resumption is disabled to enable perfect forward security (Scored)| ACTION NEEDED| Session tickets are enabled by default | Set controller.config.ssl-session-tickets to false| +| 4.1.13 Ensure session resumption is disabled to enable perfect forward security (Scored)| OK | Session tickets are disabled by default | | | 4.1.14 Ensure HTTP/2.0 is used (Not Scored) | OK | http2 is set by default| | | ||| | | __5 Request Filtering and Restrictions__||| | diff --git a/docs/user-guide/nginx-configuration/configmap.md b/docs/user-guide/nginx-configuration/configmap.md index 7e0378bb6..45d1b8e05 100755 --- a/docs/user-guide/nginx-configuration/configmap.md +++ b/docs/user-guide/nginx-configuration/configmap.md @@ -86,7 +86,7 @@ The following table shows a configuration option's name, type, and the default v |[ssl-protocols](#ssl-protocols)|string|"TLSv1.2 TLSv1.3"| |[ssl-session-cache](#ssl-session-cache)|bool|"true"| |[ssl-session-cache-size](#ssl-session-cache-size)|string|"10m"| -|[ssl-session-tickets](#ssl-session-tickets)|bool|"true"| +|[ssl-session-tickets](#ssl-session-tickets)|bool|"false"| |[ssl-session-ticket-key](#ssl-session-ticket-key)|string|`` |[ssl-session-timeout](#ssl-session-timeout)|string|"10m"| |[ssl-buffer-size](#ssl-buffer-size)|string|"4k"| diff --git a/internal/ingress/controller/config/config.go b/internal/ingress/controller/config/config.go index fd856be07..f2312ba48 100644 --- a/internal/ingress/controller/config/config.go +++ b/internal/ingress/controller/config/config.go @@ -761,7 +761,7 @@ func NewDefault() Configuration { SSLEarlyData: sslEarlyData, SSLSessionCache: true, SSLSessionCacheSize: sslSessionCacheSize, - SSLSessionTickets: true, + SSLSessionTickets: false, SSLSessionTimeout: sslSessionTimeout, EnableBrotli: false, UseGzip: true,