Kubernetes NGINX ingress controller activate TLSv1.1

12/17/2019

for some legacy systems, I need to activate TLSv1.1 on my NGINX ingress controller until they are switched to TLSv1.2. It should be fairly easy according to the documentation, but I am getting a handshake error. Looks like Nginx is not serving any certificate at all.

ConfigMap:

apiVersion: v1
data:
  log-format: '{"time": "$time_iso8601", "x-forwarded-for": "$http_x_forwarded_for",
    "remote_addr": "$proxy_protocol_addr", "x-forward-for": "$proxy_add_x_forwarded_for",
    "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent,
    "request_time": $request_time, "status":$status, "vhost": "$host", "request_proto":
    "$server_protocol", "path": "$uri", "request_query": "$args", "request_length":
    $request_length, "duration": $request_time,"method": "$request_method", "http_referrer":
    "$http_referer", "http_user_agent": "$http_user_agent" }'
  log-format-escape-json: "true"
  log-format-upstream: '{"time": "$time_iso8601", "x-forwarded-for": "$http_x_forwarded_for",
    "remote_addr": "$proxy_protocol_addr", "x-forward-for": "$proxy_add_x_forwarded_for",
    "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent,
    "request_time": $request_time, "status":$status, "vhost": "$host", "request_proto":
    "$server_protocol", "path": "$uri", "request_query": "$args", "request_length":
    $request_length, "duration": $request_time,"method": "$request_method", "http_referrer":
    "$http_referer", "http_user_agent": "$http_user_agent" }'
  ssl-protocols: TLSv1.1 TLSv1.2
kind: ConfigMap
metadata:
  name: nginx-ingress-controller
  namespace: nginx

curl:

$ curl  https://example.com/healthcheck -I --tlsv1.2 
HTTP/2 200 
....


$ curl  https://example.com/healthcheck -I --tlsv1.1 -k -vvv
*   Trying 10.170.111.150...
* TCP_NODELAY set
* Connected to example.com (10.170.111.150) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.1 (OUT), TLS handshake, Client hello (1):
* TLSv1.1 (IN), TLS alert, Server hello (2):
* error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure
* stopped the pause stream!
* Closing connection 0
curl: (35) error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure

openssh:

$ openssl s_client -servername example.com -connect example.com:443 -tls1_2 
CONNECTED(00000007)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
verify return:1
depth=0 C = US, L = NY, O = Example, CN = example.com
verify return:1
---
Certificate chain
...
---
Server certificate
...
issuer=/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 3584 bytes and written 345 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    ....
    Verify return code: 0 (ok)
---


$ openssl s_client -servername example.com -connect example.com:443 -tls1_1
CONNECTED(00000007)
4541097580:error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.260.1/libressl-2.6/ssl/ssl_pkt.c:1205:SSL alert number 40
4541097580:error:140040E5:SSL routines:CONNECT_CR_SRVR_HELLO:ssl handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.260.1/libressl-2.6/ssl/ssl_pkt.c:585:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Start Time: 1576574691
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

A sum-up of questions:

1) How to enable TLSv1.1 on Nginx ingress?

2) Can I see in the logs (where) which tls version was used to connect? I cannot find anything with kubectl logs -n Nginx pod?

-- Antman
kubernetes
nginx
nginx-ingress
tls1.1

1 Answer

12/17/2019

For anyone else having this problem. -> But please consider deactivating TLSv1 and TLSv1.1 as soon as possible!!!

apiVersion: v1
data:
  log-format: '{"time": "$time_iso8601", "x-forwarded-for": "$http_x_forwarded_for",
    "remote_addr": "$proxy_protocol_addr", "x-forward-for": "$proxy_add_x_forwarded_for",
    "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent,
    "request_time": $request_time, "status":$status, "vhost": "$host", "request_proto":
    "$server_protocol", "path": "$uri", "request_query": "$args", "request_length":
    $request_length, "duration": $request_time,"method": "$request_method", "http_referrer":
    "$http_referer", "http_user_agent": "$http_user_agent" }'
  log-format-escape-json: "true"
  log-format-upstream: '{"time": "$time_iso8601", "x-forwarded-for": "$http_x_forwarded_for",
    "remote_addr": "$proxy_protocol_addr", "x-forward-for": "$proxy_add_x_forwarded_for",
    "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent,
    "request_time": $request_time, "status":$status, "vhost": "$host", "request_proto":
    "$server_protocol", "path": "$uri", "request_query": "$args", "request_length":
    $request_length, "duration": $request_time,"method": "$request_method", "http_referrer":
    "$http_referer", "http_user_agent": "$http_user_agent" }'
  ssl-ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
  ssl-early-data: "true"
  ssl-protocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3
kind: ConfigMap
metadata:
  name: nginx-ingress-controller
  namespace: nginx
-- Antman
Source: StackOverflow