Disable TLS 1.0 and 1.1

Traefik Traefik v2 (latest)
1

Hello,

I try to disable older TLS versions.

https://docs.traefik.io/https/tls/#minimum-tls-version suggests this YAML:

tls:
  options:
    default:
      minVersion: VersionTLS12
      sniStrict: true        

    mintls13:
      minVersion: VersionTLS13

but according to https://www.ssllabs.com/ that does not have any effect.

Some other forum postings I read did not help either.

  • How can disable TLS 1.0 and 1.1 for Traefik as default for all routers?
  • What does the mintls13 section does? I was unable to find any documentation.

Thanks!

2

Yes. That is the way.

I have confirmed this using sslyze, ssllabs and mozilla observatory. Versions 2.0 through 2.2

You may know, but when subsequent re-scanning use the clear cache link from the results page.

I like to use sslyze first as it is faster than the external tools.

3

I have just checked again my traefik.yaml and restarted the docker container. Still, it's serving TLS 1.0 and TLS 1.1.

The host is e.g. mail.xgm.de, if you want to run a check yourself.

Are you using Traefik 2?

I also tried sslyze, see below.

Any more ideas?

Thanks!

% sslyze --tlsv1 --tlsv1_1 mail.xgm.de

 CHECKING HOST(S) AVAILABILITY
 -----------------------------

   mail.xgm.de:443                       => 45.83.105.139 




 SCAN RESULTS FOR MAIL.XGM.DE:443 - 45.83.105.139
 ------------------------------------------------

 * TLS 1.0 Cipher suites:
     Attempted to connect using 80 cipher suites.

     The server accepted the following 6 cipher suites:
        TLS_RSA_WITH_AES_256_CBC_SHA                      256                      
        TLS_RSA_WITH_AES_128_CBC_SHA                      128                      
        TLS_RSA_WITH_3DES_EDE_CBC_SHA                     168                      
        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                256       ECDH: prime256v1 (256 bits)
        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                128       ECDH: prime256v1 (256 bits)
        TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA               168       ECDH: prime256v1 (256 bits)

     The group of cipher suites supported by the server has the following properties:
       Forward Secrecy                    OK - Supported
       Legacy RC4 Algorithm               OK - Not Supported

     The server has no preferred cipher suite.


 * TLS 1.1 Cipher suites:
     Attempted to connect using 80 cipher suites.

     The server accepted the following 6 cipher suites:
        TLS_RSA_WITH_AES_256_CBC_SHA                      256                      
        TLS_RSA_WITH_AES_128_CBC_SHA                      128                      
        TLS_RSA_WITH_3DES_EDE_CBC_SHA                     168                      
        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                256       ECDH: prime256v1 (256 bits)
        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                128       ECDH: prime256v1 (256 bits)
        TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA               168       ECDH: prime256v1 (256 bits)

     The group of cipher suites supported by the server has the following properties:
       Forward Secrecy                    OK - Supported
       Legacy RC4 Algorithm               OK - Not Supported

     The server has no preferred cipher suite.



 SCAN COMPLETED IN 6.09 S
 ------------------------
4

I can also add TraefikEE 2.1 to that list.

I think it is likely your TLS options are not being loaded. This need to be defined in the file provider.

5

Ok, that is very much possible, that my configuration is missing something.

I seem to have confusde static (traefik.yaml) and dynamic configuration.

Now after adding:

providers:
  file:
    filename: /etc/traefik/dynamic_conf.yaml

to my traefik.yaml (static configuration) and the TLS configuration above into dynamic_conf.yaml, mount that into the Traefik container, it works!

Thanks!

One more question, can you tell me, what the

mintls13:
   minVersion: VersionTLS13

means? Is that some sub-version of TLS 1.3?

6

It is a named set of options instead of default. You can use it in a router rule:
- "traefik.http.routers.supasecure.tls.options=mintls13"
That it is called mintls13 is arbitrary it is just a naming key.

1 Like