Disable TLS 1.0 and 1.1

Hello,

I try to disable older TLS versions.

https://docs.traefik.io/https/tls/#minimum-tls-version suggests this YAML:

tls:
  options:
    default:
      minVersion: VersionTLS12
      sniStrict: true        

    mintls13:
      minVersion: VersionTLS13

but according to https://www.ssllabs.com/ that does not have any effect.

Some other forum postings I read did not help either.

  • How can disable TLS 1.0 and 1.1 for Traefik as default for all routers?
  • What does the mintls13 section does? I was unable to find any documentation.

Thanks!

Yes. That is the way.

I have confirmed this using sslyze, ssllabs and mozilla observatory. Versions 2.0 through 2.2

You may know, but when subsequent re-scanning use the clear cache link from the results page.

I like to use sslyze first as it is faster than the external tools.

I have just checked again my traefik.yaml and restarted the docker container. Still, it's serving TLS 1.0 and TLS 1.1.

The host is e.g. mail.xgm.de, if you want to run a check yourself.

Are you using Traefik 2?

I also tried sslyze, see below.

Any more ideas?

Thanks!

% sslyze --tlsv1 --tlsv1_1 mail.xgm.de

 CHECKING HOST(S) AVAILABILITY
 -----------------------------

   mail.xgm.de:443                       => 45.83.105.139 




 SCAN RESULTS FOR MAIL.XGM.DE:443 - 45.83.105.139
 ------------------------------------------------

 * TLS 1.0 Cipher suites:
     Attempted to connect using 80 cipher suites.

     The server accepted the following 6 cipher suites:
        TLS_RSA_WITH_AES_256_CBC_SHA                      256                      
        TLS_RSA_WITH_AES_128_CBC_SHA                      128                      
        TLS_RSA_WITH_3DES_EDE_CBC_SHA                     168                      
        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                256       ECDH: prime256v1 (256 bits)
        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                128       ECDH: prime256v1 (256 bits)
        TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA               168       ECDH: prime256v1 (256 bits)

     The group of cipher suites supported by the server has the following properties:
       Forward Secrecy                    OK - Supported
       Legacy RC4 Algorithm               OK - Not Supported

     The server has no preferred cipher suite.


 * TLS 1.1 Cipher suites:
     Attempted to connect using 80 cipher suites.

     The server accepted the following 6 cipher suites:
        TLS_RSA_WITH_AES_256_CBC_SHA                      256                      
        TLS_RSA_WITH_AES_128_CBC_SHA                      128                      
        TLS_RSA_WITH_3DES_EDE_CBC_SHA                     168                      
        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                256       ECDH: prime256v1 (256 bits)
        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                128       ECDH: prime256v1 (256 bits)
        TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA               168       ECDH: prime256v1 (256 bits)

     The group of cipher suites supported by the server has the following properties:
       Forward Secrecy                    OK - Supported
       Legacy RC4 Algorithm               OK - Not Supported

     The server has no preferred cipher suite.



 SCAN COMPLETED IN 6.09 S
 ------------------------

I can also add TraefikEE 2.1 to that list.

I think it is likely your TLS options are not being loaded. This need to be defined in the file provider.

Ok, that is very much possible, that my configuration is missing something.

I seem to have confusde static (traefik.yaml) and dynamic configuration.

Now after adding:

providers:
  file:
    filename: /etc/traefik/dynamic_conf.yaml

to my traefik.yaml (static configuration) and the TLS configuration above into dynamic_conf.yaml, mount that into the Traefik container, it works!

Thanks!

One more question, can you tell me, what the

mintls13:
   minVersion: VersionTLS13

means? Is that some sub-version of TLS 1.3?

1 Like

It is a named set of options instead of default. You can use it in a router rule:
- "traefik.http.routers.supasecure.tls.options=mintls13"
That it is called mintls13 is arbitrary it is just a naming key.

2 Likes