From 639a8c7871d20caaaeb61b8952c639aa45f3251e Mon Sep 17 00:00:00 2001 From: Mark Janssen Date: Sat, 2 May 2020 13:29:27 +0200 Subject: [PATCH 1/2] Enable TLSv1.3 by default Fix for 049b25e566862c627b16a1698ebe68fc1e5b20b2 which mistakenly only updated documentation. --- internal/ingress/controller/config/config.go | 2 +- test/e2e/settings/tls.go | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/internal/ingress/controller/config/config.go b/internal/ingress/controller/config/config.go index ae60cacdd..b39145957 100644 --- a/internal/ingress/controller/config/config.go +++ b/internal/ingress/controller/config/config.go @@ -70,7 +70,7 @@ const ( // SSL enabled protocols to use // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols - sslProtocols = "TLSv1.2" + sslProtocols = "TLSv1.2 TLSv1.3" // Disable TLS 1.3 early data // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data diff --git a/test/e2e/settings/tls.go b/test/e2e/settings/tls.go index ef980f384..2b8b098c8 100644 --- a/test/e2e/settings/tls.go +++ b/test/e2e/settings/tls.go @@ -64,7 +64,10 @@ var _ = framework.DescribeSetting("[SSL] TLS protocols, ciphers and headers)", f }) ginkgo.It("setting cipher suite", func() { - f.UpdateNginxConfigMapData(sslCiphers, testCiphers) + f.SetNginxConfigMapData(map[string]string{ + sslCiphers: testCiphers, + sslProtocols: "TLSv1.2", + }) f.WaitForNginxConfiguration( func(cfg string) bool { From 4a36c804e6eab007362cd6847036d958702351fb Mon Sep 17 00:00:00 2001 From: Mark Janssen Date: Sun, 3 May 2020 21:17:20 +0200 Subject: [PATCH 2/2] Add 0-RTT warning --- docs/user-guide/nginx-configuration/configmap.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/user-guide/nginx-configuration/configmap.md b/docs/user-guide/nginx-configuration/configmap.md index 54ebc3e68..e43090fb3 100755 --- a/docs/user-guide/nginx-configuration/configmap.md +++ b/docs/user-guide/nginx-configuration/configmap.md @@ -516,9 +516,11 @@ Please check the result of the configuration using `https://ssllabs.com/ssltest/ ## ssl-early-data -Enables or disables TLS 1.3 [early data](https://tools.ietf.org/html/rfc8446#section-2.3) +Enables or disables TLS 1.3 [early data](https://tools.ietf.org/html/rfc8446#section-2.3), also known as Zero Round Trip +Time Resumption (0-RTT). -This requires `ssl-protocols` to have `TLSv1.3` enabled. +This requires `ssl-protocols` to have `TLSv1.3` enabled. Enable this with caution, because requests sent within early +data are subject to [replay attacks](https://tools.ietf.org/html/rfc8470). [ssl_early_data](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data). The default is: `false`.