How to disable TLS 1.0 and TLS 1.1 in Traefik 1.7.20

checkelmann · January 14, 2020, 7:27am

Hi,

does anybody knows how to disable TLS 1.0 and TLS 1.1 Support and enable 1.2 & 1.3 in Traefik 1.7.20?
I've seen documentation for Traefik 2 but not for 1.7.

I would appreciate any help!

Thanks

Christian

checkelmann · January 14, 2020, 8:04am

Ok found in consul the key entrypoints.https.tls.minversion and set the GO ENV Var GODEBUG=tls13=1 for TLS 1.3

TrafikJam · August 6, 2020, 1:19pm

I added:

     environment:
       - "GODEBUG=tls11=0"
       - "GODEBUG=tls10=0"

But TLS checkers still show the site has having 1.0 & 1.1 enabled. How do we disable them?

Gigante · April 23, 2022, 3:05pm

Well, any updates here? The -e GODEBUG=tls10=0 doesn't seem to work?

nodesocket · May 4, 2022, 5:35pm

@Gigante and @checkelmann I am also trying to disable TLS 1.0 and TLS 1.1. I am using the legacy/old v1 Helm chart (Traefik version 1.7.34) and have the following values set as per GitHub issues I found:

  ssl:
    sniStrict: true
    tlsMinVersion: VersionTLS12

However, SSLabs is still intermittently showing TLS 1.0 and 1.1 enabled. It's not consistent. Sometimes only TLS 1.2 is shown as enabled, other times all are shown as enabled.

Further debugging, I went and got the contents of the configmap inside of the Kubernetes cluster:

traefik.toml: |
    # traefik.toml
    logLevel = "info"
    defaultEntryPoints = ["http","https"]
    [entryPoints]
      [entryPoints.http]
      address = ":80"
      compress = true
        [entryPoints.http.proxyProtocol]
        trustedIPs = ["192.168.0.0/16", "10.0.0.0/8", "172.16.0.0/12"]
        [entryPoints.http.forwardedHeaders]
        trustedIPs = ["192.168.0.0/16", "10.0.0.0/8", "172.16.0.0/12"]
        [entryPoints.http.redirect]
          regex = "^http://(.*)"
          replacement = "https://$1"
          permanent = true
      [entryPoints.https]
      address = ":443"
      compress = true
        [entryPoints.https.proxyProtocol]
        trustedIPs = ["192.168.0.0/16", "10.0.0.0/8", "172.16.0.0/12"]
        [entryPoints.https.forwardedHeaders]
        trustedIPs = ["192.168.0.0/16", "10.0.0.0/8", "172.16.0.0/12"]
        [entryPoints.https.tls]
          minVersion = "VersionTLS12"
          sniStrict = true
          [[entryPoints.https.tls.certificates]]
          CertFile = "/ssl/tls.crt"
          KeyFile = "/ssl/tls.key"
      [entryPoints.traefik]
      address = ":8080"
    [ping]
    entryPoint = "http"
    [kubernetes]
    ingressClass = "traefik"
    [traefikLog]
      format = "json"
    [accessLog]
      format = "common"
    [accessLog.fields]
      defaultMode = "keep"
    [accessLog.fields.names]
    [accessLog.fields.headers]
      defaultMode = "keep"
    [accessLog.fields.headers.names]
    [consul]
    endpoint = "consul:8500"
    watch = true
    prefix = "traefik"
    [acme]
    KeyType = "RSA4096"
    email = "engineering@mycompany.com"
    storage = "traefik/acme/account"
    entryPoint = "https"
    onHostRule = true
    acmeLogging = true
      [acme.httpChallenge]
      entryPoint = "http"
    [api]
      entryPoint = "traefik"
      dashboard = true

Which confirms that minVersion = "VersionTLS12" and sniStrict = true are both set. I am at a loss myself what to do next.

Topic		Replies	Views
Disable TLS 1.0/1.1 and enable TLS 1.3 in Traefik 1.7 with Kubernetes Traefik v1 kubernetes-ingress	0	673	January 19, 2021
Yet another TLS issue :D Traefik v2 (latest) docker	5	646	January 29, 2020
Traefik ignores TLSOptions Traefik v2 (latest) kubernetes-crd , middleware	1	180	February 26, 2024
Disable tls .01 toml Traefik v2 (latest) docker	1	264	July 25, 2022
Trying to enable TLS but can't get it working with the default k3s traefik pod Traefik v2 (latest) kubernetes-ingress , letsencrypt-acme	2	999	July 19, 2023

How to disable TLS 1.0 and TLS 1.1 in Traefik 1.7.20

Related Topics