Traefik 2 ignoring TLS options in entrypoints

Hi all,
I have an issue with TLS options applied to an entrypoint. I'm using Traefik 2.3.2.

Here is my dynamic TLS configuration file:

tls:
  options:
    tls13:
      minVersion: "VersionTLS13"
    tls10:
      minVersion: "VersionTLS10"
      cipherSuites:
        - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
        - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
        - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
        - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
        - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA"
        - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
        - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
        - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"

And here is my static configuration portion defining entrypoints:

entryPoints:
  https:
    address: ":443"
    http:
      tls:
        options: tls13@file

I need to define an option for TLS1.0 for compatibility reasons on a specific environment, but in the example above I need to make TLS1.3 only. The option seems to be applied in the traefik dashboard, as all routers implementing the "https" entrypoint are showing tls13@file as the TLS option set for the route, however SSLLabs scan reveals that all TLS versions are accepted.

There seems to be a bug as the TLS option is accepted by Traefik and displayed as correct in the dashboard, but somehow ignored. The only way I could have specific TLS option applied was to set a different default TLS option for all environments.

Any help figuring this out would be greatly appreciated, thanks!

1 Like