Ingress-nginx: Enable tls 1.3 in the nginx image

Created on 20 Apr 2018  路  12Comments  路  Source: kubernetes/ingress-nginx

FEATURE REQUEST

TLS1.3 in nginx, add the right ciphers to the default config, add TLS1.3 to the tls config string.

I can help if needed!

kinfeature
Source
picture dgregoire

Most helpful comment

@aledbf it's not clear from those links why 1.3 isn't enabled by default?

picture nottrobin on 4 Oct 2019
👍4

All 12 comments

@dgregoire we are going to do that after the official support in nginx. Please check https://trac.nginx.org/nginx/ticket/1529 and https://twitter.com/RichSalz/status/986123531913134080

aledbf picture aledbf on 20 Apr 2018

Closing. This is present in the nginx 1.15 cycle but that could take up to a year and also depends on the relase final release of TLS 1.3.
https://trac.nginx.org/nginx/milestone/1.15

aledbf picture aledbf on 15 Jun 2018

It would be nice to see this at least optionally enabled behind a setting in a ConfigMap, if possible, given that http://nginx.org/en/CHANGES says the following:

Changes with nginx 1.15.4                                        25 Sep 2018

    *) Feature: now the "ssl_early_data" directive can be used with OpenSSL.

and 

Changes with nginx 1.15.3                                        28 Aug 2018

    *) Feature: now TLSv1.3 can be used with BoringSSL.
weisjohn picture weisjohn on 22 Oct 2018

@weisjohn we need Openssl 1.1.1 to support TLS 1.3 (that version is present only in debian testing now)

aledbf picture aledbf on 22 Oct 2018

Now that Openssl 1.1.1 is merged is TLS 1.3 supported ?

toutougabi picture toutougabi on 6 Aug 2019

@toutougabi yes since 0.21.0 but is not enabled by default. Please check https://kubernetes.github.io/ingress-nginx/user-guide/tls/#default-tls-version-and-ciphers

aledbf picture aledbf on 6 Aug 2019

@aledbf it's not clear from those links why 1.3 isn't enabled by default?

nottrobin picture nottrobin on 4 Oct 2019
👍4

Hi @aledbf I have set ssl-protocols to TLSv1.3 TLSv1.2 but I see no difference. TLS handshake still takes longer than 110ms for me. What else can I do?

vitobotta picture vitobotta on 26 Mar 2020

TLS handshake still takes longer than 110ms for me. What else can I do?

How are you testing this? Did you use ssllabs.com/ssltest/analyze.html to check the configuration and https://www.webpagetest.org/runtest.php to check the behavior?
This is for a webapp or a REST API? I suggest you open a new issue with more information (like my previous questions) and some context about the scenario, i.e., where are you running, size of the vms, etc.

aledbf picture aledbf on 26 Mar 2020

Hi @aledbf I was checking with curl but it wasn't build with support for 1.3. Fixed that, I see an improvement. Thanks :)

vitobotta picture vitobotta on 26 Mar 2020
👍1

www.ssllabs.com still shows that TLS 1.3 isn't enabled even with nginx.ingress.kubernetes.io/ssl-protocols: "TLSv1.3 TLSv1.2"

JohnGalt1717 picture JohnGalt1717 on 1 Apr 2020
👍3

Like @JohnGalt1717 it seems that TLS 1.3 is not showing when trying to enable it:

kubectl -n nginx-ingress get cm nginx-config -o yaml | grep ssl-protocol
ssl-protocols: TLSv1.2 TLSv1.3

nmap --script ssl-enum-ciphers -p 443 'nginx-ingres pod IP' > |grep "TLSv\|SSLv"
| SSLv3: No supported ciphers found
| TLSv1.2:

Is there something else to do to enable TLSv1.3?

takyon77 picture takyon77 on 8 Aug 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

yuyang0 picture yuyang0  路  3Comments
oilbeater picture oilbeater  路  3Comments
cabrinoob picture cabrinoob  路  3Comments
juliohm1978 picture juliohm1978  路  3Comments
boazj picture boazj  路  3Comments