for some legacy systems, I need to activate TLSv1.1 on my NGINX ingress controller until they are switched to TLSv1.2. It should be fairly easy according to the documentation, but I am getting a handshake error. Looks like Nginx is not serving any certificate at all.
ConfigMap:
apiVersion: v1
data:
log-format: '{"time": "$time_iso8601", "x-forwarded-for": "$http_x_forwarded_for",
"remote_addr": "$proxy_protocol_addr", "x-forward-for": "$proxy_add_x_forwarded_for",
"request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent,
"request_time": $request_time, "status":$status, "vhost": "$host", "request_proto":
"$server_protocol", "path": "$uri", "request_query": "$args", "request_length":
$request_length, "duration": $request_time,"method": "$request_method", "http_referrer":
"$http_referer", "http_user_agent": "$http_user_agent" }'
log-format-escape-json: "true"
log-format-upstream: '{"time": "$time_iso8601", "x-forwarded-for": "$http_x_forwarded_for",
"remote_addr": "$proxy_protocol_addr", "x-forward-for": "$proxy_add_x_forwarded_for",
"request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent,
"request_time": $request_time, "status":$status, "vhost": "$host", "request_proto":
"$server_protocol", "path": "$uri", "request_query": "$args", "request_length":
$request_length, "duration": $request_time,"method": "$request_method", "http_referrer":
"$http_referer", "http_user_agent": "$http_user_agent" }'
ssl-protocols: TLSv1.1 TLSv1.2
kind: ConfigMap
metadata:
name: nginx-ingress-controller
namespace: nginx
curl:
$ curl https://example.com/healthcheck -I --tlsv1.2
HTTP/2 200
....
$ curl https://example.com/healthcheck -I --tlsv1.1 -k -vvv
* Trying 10.170.111.150...
* TCP_NODELAY set
* Connected to example.com (10.170.111.150) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.1 (OUT), TLS handshake, Client hello (1):
* TLSv1.1 (IN), TLS alert, Server hello (2):
* error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure
* stopped the pause stream!
* Closing connection 0
curl: (35) error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure
openssh:
$ openssl s_client -servername example.com -connect example.com:443 -tls1_2
CONNECTED(00000007)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
verify return:1
depth=0 C = US, L = NY, O = Example, CN = example.com
verify return:1
---
Certificate chain
...
---
Server certificate
...
issuer=/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 3584 bytes and written 345 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
....
Verify return code: 0 (ok)
---
$ openssl s_client -servername example.com -connect example.com:443 -tls1_1
CONNECTED(00000007)
4541097580:error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.260.1/libressl-2.6/ssl/ssl_pkt.c:1205:SSL alert number 40
4541097580:error:140040E5:SSL routines:CONNECT_CR_SRVR_HELLO:ssl handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.260.1/libressl-2.6/ssl/ssl_pkt.c:585:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Start Time: 1576574691
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
A sum-up of questions:
1) How to enable TLSv1.1 on Nginx ingress?
2) Can I see in the logs (where) which tls version was used to connect? I cannot find anything with kubectl logs -n Nginx pod?
For anyone else having this problem. -> But please consider deactivating TLSv1 and TLSv1.1 as soon as possible!!!
apiVersion: v1
data:
log-format: '{"time": "$time_iso8601", "x-forwarded-for": "$http_x_forwarded_for",
"remote_addr": "$proxy_protocol_addr", "x-forward-for": "$proxy_add_x_forwarded_for",
"request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent,
"request_time": $request_time, "status":$status, "vhost": "$host", "request_proto":
"$server_protocol", "path": "$uri", "request_query": "$args", "request_length":
$request_length, "duration": $request_time,"method": "$request_method", "http_referrer":
"$http_referer", "http_user_agent": "$http_user_agent" }'
log-format-escape-json: "true"
log-format-upstream: '{"time": "$time_iso8601", "x-forwarded-for": "$http_x_forwarded_for",
"remote_addr": "$proxy_protocol_addr", "x-forward-for": "$proxy_add_x_forwarded_for",
"request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent,
"request_time": $request_time, "status":$status, "vhost": "$host", "request_proto":
"$server_protocol", "path": "$uri", "request_query": "$args", "request_length":
$request_length, "duration": $request_time,"method": "$request_method", "http_referrer":
"$http_referer", "http_user_agent": "$http_user_agent" }'
ssl-ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
ssl-early-data: "true"
ssl-protocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3
kind: ConfigMap
metadata:
name: nginx-ingress-controller
namespace: nginx