removed tlsv1 & tlsv1.1 (#11408)

Co-authored-by: longwuyuan <longwuyuan@gmail.com>

docs/user-guide/tls.md

@@ -145,7 +145,7 @@ metadata:
   name: nginx-config
 data:
   ssl-ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
-  ssl-protocols: "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3"
+  ssl-protocols: "TLSv1.2 TLSv1.3"
 ```
 
 

internal/ingress/annotations/proxyssl/main.go

@@ -32,7 +32,7 @@ import (
 
 const (
 	defaultProxySSLCiphers     = "DEFAULT"
-	defaultProxySSLProtocols   = "TLSv1 TLSv1.1 TLSv1.2"
+	defaultProxySSLProtocols   = "TLSv1.2"
 	defaultProxySSLVerify      = "off"
 	defaultProxySSLVerifyDepth = 1
 	defaultProxySSLServerName  = "off"
@@ -40,7 +40,7 @@ const (
 
 var (
 	proxySSLOnOffRegex    = regexp.MustCompile(`^(on|off)$`)
-	proxySSLProtocolRegex = regexp.MustCompile(`^(SSLv2|SSLv3|TLSv1|TLSv1\.1|TLSv1\.2|TLSv1\.3| )*$`)
+	proxySSLProtocolRegex = regexp.MustCompile(`^(TLSv1\.2|TLSv1\.3| )*$`)
 	proxySSLCiphersRegex  = regexp.MustCompile(`^[A-Za-z0-9\+:\_\-!]*$`)
 )
 

internal/ingress/annotations/proxyssl/main_test.go

@@ -32,7 +32,7 @@ const (
 	proxySslCiphers   = "HIGH:-SHA"
 	off               = "off"
 	sslServerName     = "w00t"
-	defaultProtocol   = "SSLv2 TLSv1 TLSv1.2 TLSv1.3"
+	defaultProtocol   = "TLSv1.2 TLSv1.3"
 )
 
 func buildIngress() *networking.Ingress {
@@ -103,7 +103,7 @@ func TestAnnotations(t *testing.T) {
 	data[parser.GetAnnotationWithPrefix(proxySSLSecretAnnotation)] = defaultDemoSecret
 	data[parser.GetAnnotationWithPrefix("proxy-ssl-ciphers")] = proxySslCiphers
 	data[parser.GetAnnotationWithPrefix("proxy-ssl-name")] = "$host"
-	data[parser.GetAnnotationWithPrefix("proxy-ssl-protocols")] = "TLSv1.3 SSLv2 TLSv1   TLSv1.2"
+	data[parser.GetAnnotationWithPrefix("proxy-ssl-protocols")] = "TLSv1.3 TLSv1.2"
 	data[parser.GetAnnotationWithPrefix("proxy-ssl-server-name")] = "on"
 	data[parser.GetAnnotationWithPrefix("proxy-ssl-session-reuse")] = off
 	data[parser.GetAnnotationWithPrefix("proxy-ssl-verify")] = "on"

internal/ingress/annotations/sslcipher/main.go

@@ -43,7 +43,7 @@ var sslCipherAnnotations = parser.Annotation{
 			Scope:     parser.AnnotationScopeIngress,
 			Risk:      parser.AnnotationRiskLow,
 			Documentation: `The following annotation will set the ssl_prefer_server_ciphers directive at the server level. 
-			This configuration specifies that server ciphers should be preferred over client ciphers when using the SSLv3 and TLS protocols.`,
+			This configuration specifies that server ciphers should be preferred over client ciphers when using the TLS protocols.`,
 		},
 		sslCipherAnnotation: {
 			Validator:     parser.ValidateRegex(regexValidSSLCipher, true),

pkg/apis/ingress/types.go

@@ -210,7 +210,7 @@ type Server struct {
 	// SSLCiphers returns list of ciphers to be enabled
 	SSLCiphers string `json:"sslCiphers,omitempty"`
 	// SSLPreferServerCiphers indicates that server ciphers should be preferred
-	// over client ciphers when using the SSLv3 and TLS protocols.
+	// over client ciphers when using the TLS protocols.
 	SSLPreferServerCiphers string `json:"sslPreferServerCiphers,omitempty"`
 	// AuthTLSError contains the reason why the access to a server should be denied
 	AuthTLSError string `json:"authTLSError,omitempty"`

test/e2e/annotations/proxyssl.go

@@ -47,7 +47,7 @@ var _ = framework.DescribeAnnotation("proxy-ssl-*", func() {
 		ing := framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, f.Namespace, framework.EchoService, 80, annotations)
 		f.EnsureIngress(ing)
 
-		assertProxySSL(f, host, "", "DEFAULT", "TLSv1 TLSv1.1 TLSv1.2", "off", 1, "")
+		assertProxySSL(f, host, "", "DEFAULT", "TLSv1.2", "off", 1, "")
 
 		f.HTTPTestClient().
 			GET("/").
@@ -77,7 +77,7 @@ var _ = framework.DescribeAnnotation("proxy-ssl-*", func() {
 		ing := framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, f.Namespace, framework.EchoService, 80, annotations)
 		f.EnsureIngress(ing)
 
-		assertProxySSL(f, host, "", "DEFAULT", "TLSv1 TLSv1.1 TLSv1.2", "on", 2, "on")
+		assertProxySSL(f, host, "", "DEFAULT", "TLSv1.2", "on", 2, "on")
 
 		f.HTTPTestClient().
 			GET("/").
@@ -105,7 +105,7 @@ var _ = framework.DescribeAnnotation("proxy-ssl-*", func() {
 		ing := framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, f.Namespace, framework.EchoService, 80, annotations)
 		f.EnsureIngress(ing)
 
-		assertProxySSL(f, host, "", "HIGH:!AES", "TLSv1 TLSv1.1 TLSv1.2", "off", 1, "")
+		assertProxySSL(f, host, "", "HIGH:!AES", "TLSv1.2", "off", 1, "")
 
 		f.HTTPTestClient().
 			GET("/").
@@ -171,7 +171,7 @@ var _ = framework.DescribeAnnotation("proxy-ssl-*", func() {
 		wlValue := "true"
 		f.UpdateNginxConfigMapData(wlKey, wlValue)
 
-		assertProxySSL(f, host, secretName, "DEFAULT", "TLSv1 TLSv1.1 TLSv1.2", "on", 1, "on")
+		assertProxySSL(f, host, secretName, "DEFAULT", "TLSv1.2", "on", 1, "on")
 
 		f.WaitForNginxCustomConfiguration("## start server proxyssl.com", "location ", func(server string) bool {
 			return (!strings.Contains(server, "proxy_ssl_trusted_certificate") &&