I have configured default tls options in traefik.yaml as describe in docs:
entryPoints:
web:
address: "0.0.0.0:80"
http:
redirections:
entrypoint:
to: websecure
scheme: https
websecure:
address: "0.0.0.0:443"
http:
tls:
certResolver: letsencrypt
forwardedHeaders:
trustedIPs:
- "127.0.0.1/32"
metrics:
address: ":9090"
tls:
options:
default:
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
yet I'm still able to connect to the traefik with 'openssl s_client IP -tls1' and www.ssllabs.com reports TLS1.0/1.1 supported.
I also tried to add "tls.options: default" block to websecure endpoint it doesn't help.
Please note, I'm using k8s ingress for dynamic routers configuration.
Any ideas on what is wrong?
P.S. traefik was restarted after config modification.