How to disable TLS 1.0 and TLS 1.1 in Traefik 1.7.20

checkelmann · January 14, 2020, 7:27am

Hi,

does anybody knows how to disable TLS 1.0 and TLS 1.1 Support and enable 1.2 & 1.3 in Traefik 1.7.20?
I've seen documentation for Traefik 2 but not for 1.7.

I would appreciate any help!

Thanks

Christian

checkelmann · January 14, 2020, 8:04am

Ok found in consul the key entrypoints.https.tls.minversion and set the GO ENV Var GODEBUG=tls13=1 for TLS 1.3

TrafikJam · August 6, 2020, 1:19pm

I added:

     environment:
       - "GODEBUG=tls11=0"
       - "GODEBUG=tls10=0"

But TLS checkers still show the site has having 1.0 & 1.1 enabled. How do we disable them?

Gigante · April 23, 2022, 3:05pm

Well, any updates here? The -e GODEBUG=tls10=0 doesn't seem to work?

nodesocket · May 4, 2022, 5:35pm

@Gigante and @checkelmann I am also trying to disable TLS 1.0 and TLS 1.1. I am using the legacy/old v1 Helm chart (Traefik version 1.7.34) and have the following values set as per GitHub issues I found:

  ssl:
    sniStrict: true
    tlsMinVersion: VersionTLS12

However, SSLabs is still intermittently showing TLS 1.0 and 1.1 enabled. It's not consistent. Sometimes only TLS 1.2 is shown as enabled, other times all are shown as enabled.

Further debugging, I went and got the contents of the configmap inside of the Kubernetes cluster:

traefik.toml: |
    # traefik.toml
    logLevel = "info"
    defaultEntryPoints = ["http","https"]
    [entryPoints]
      [entryPoints.http]
      address = ":80"
      compress = true
        [entryPoints.http.proxyProtocol]
        trustedIPs = ["192.168.0.0/16", "10.0.0.0/8", "172.16.0.0/12"]
        [entryPoints.http.forwardedHeaders]
        trustedIPs = ["192.168.0.0/16", "10.0.0.0/8", "172.16.0.0/12"]
        [entryPoints.http.redirect]
          regex = "^http://(.*)"
          replacement = "https://$1"
          permanent = true
      [entryPoints.https]
      address = ":443"
      compress = true
        [entryPoints.https.proxyProtocol]
        trustedIPs = ["192.168.0.0/16", "10.0.0.0/8", "172.16.0.0/12"]
        [entryPoints.https.forwardedHeaders]
        trustedIPs = ["192.168.0.0/16", "10.0.0.0/8", "172.16.0.0/12"]
        [entryPoints.https.tls]
          minVersion = "VersionTLS12"
          sniStrict = true
          [[entryPoints.https.tls.certificates]]
          CertFile = "/ssl/tls.crt"
          KeyFile = "/ssl/tls.key"
      [entryPoints.traefik]
      address = ":8080"
    [ping]
    entryPoint = "http"
    [kubernetes]
    ingressClass = "traefik"
    [traefikLog]
      format = "json"
    [accessLog]
      format = "common"
    [accessLog.fields]
      defaultMode = "keep"
    [accessLog.fields.names]
    [accessLog.fields.headers]
      defaultMode = "keep"
    [accessLog.fields.headers.names]
    [consul]
    endpoint = "consul:8500"
    watch = true
    prefix = "traefik"
    [acme]
    KeyType = "RSA4096"
    email = "engineering@mycompany.com"
    storage = "traefik/acme/account"
    entryPoint = "https"
    onHostRule = true
    acmeLogging = true
      [acme.httpChallenge]
      entryPoint = "http"
    [api]
      entryPoint = "traefik"
      dashboard = true

Which confirms that minVersion = "VersionTLS12" and sniStrict = true are both set. I am at a loss myself what to do next.