Why is this so difficult? disable TLS 1.0 and 1.1 w/ Kubernetes Ingress + Traefik 2.6.3

bitsofinfo.g · June 9, 2022, 2:07am

Ok, burned at least 8+ hours on this so far and loosing my mind:

I simply want to disable TLS 1.0/1.1 globally for traefik. No matter what I do, when running testssl.sh or using any available TLS eval tool, TLS 1.0 and 1.1 is still enabled...

I'm starting traefik 2.6.3 w/ the helm chart on k8s
I've read about every post on the internet about this + the diocs and tried about every combination of ingress annotation...and what seems available in the chart.... this should be much simpler.

Can anyone provide an example of how they have successfully disabled TLS 1.0 and 1.1 on Kubernetes for any Ingress that is deployed including the default when no SNI is provided?

I've tried all the following:

 kubectl get tlsoption default -n traefik -o yaml

apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
  annotations:
    meta.helm.sh/release-name: traefik-external
    meta.helm.sh/release-namespace: traefik
  creationTimestamp: "2022-06-09T01:41:11Z"
  generation: 1
  labels:
    app.kubernetes.io/instance: traefik-external
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: traefik
    helm.sh/chart: traefik-10.19.4
  name: default
  namespace: traefik
  resourceVersion: "743225"
  uid: edda0817-db65-42df-85d0-140c35c70696
spec:
  minVersion: VersionTLS13

along w/ the following annotation on any Ingress:

traefik.ingress.kubernetes.io/router.tls.options: traefik-default@kubernetescrd

or this variant:

traefik.ingress.kubernetes.io/router.tls.options: default

I've tried settings the following in the helm chart as well

this...

--entrypoints.websecure.http.tls.options=default

or this variant...

--entrypoints.websecure.http.tls.options=traefik-default@kubernetescrd

lost with this...

razr · June 14, 2022, 11:02am

I configured this using a dynamic configuration file.

I created a ConfigMap with the following content:

apiVersion: v1
kind: ConfigMap
metadata:
  name: traefik-dynamicconfig
  labels:
    ...
data:
  tls.yml:
    tls:
      options:
        default:
          minVersion: VersionTLS12
          cipherSuites:
            # TLS 1.2 ciphers
            - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
            - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
            - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
            - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
            - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
            - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
            # TLS 1.3 ciphers
            - TLS_AES_128_GCM_SHA256
            - TLS_AES_256_GCM_SHA384
            - TLS_CHACHA20_POLY1305_SHA256
      certificates:
        ...

I then did the following in the values.yaml for the Helm chart to mount and read this config:

...
volumes:
  - name: traefik-dynamicconfig
    mountPath: /etc/traefik/dynamic/
    type: configMap
...
additionalArguments:
  ...
  # read dynamic configuration from files in this directory
  - "--providers.file.directory=/etc/traefik/dynamic/"
...

(I also use this to load some default middlewares that I can either use manually on any ingress(route) or that are enabled by default on all routes with additionalArgument "--entryPoints.websecure.http.middlewares=name-of-my-default-middleware@file")

Hope you can find some inspiration here.

Best,
Max

razr · June 14, 2022, 11:12am

Looking at the documentation your default TLSOption resource should work out-of-the-box without without any configuration in Traefik though:

When using the TLSOption resource in Kubernetes, one might setup a default set of options that, if not explicitly overwritten, should apply to all ingresses.
To achieve that, you'll have to create a TLSOption resource with the name default. There may exist only one TLSOption with the name default (across all namespaces) - otherwise they will be dropped.

Source: Traefik TLS Documentation - Traefik

Are you sure you only have one TLSOption named default across all your namespaces? Maybe that's the issue?

Best,
Max

razr · June 14, 2022, 11:21am

I just saw, that the Helm chart has the option to set this directly in it:

tlsOptions:
  default:
    minVersion: VersionTLS12
    cipherSuites:
      # TLS 1.1 and 1.2 ciphers
      - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
      - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
      - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
      - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
      - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
      - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
      # TLS 1.3 ciphers
      - TLS_AES_128_GCM_SHA256
      - TLS_AES_256_GCM_SHA384
      - TLS_CHACHA20_POLY1305_SHA256

jagyas · April 29, 2024, 9:22am

Please note. If yo are using cloudflare in front of your traefik server then you need to configure these settings in cloudflare not in traefik. I spent whole day to configure TLSOptions in traefik and realized I was getting B grade because of coludflare configured settings.

Topic		Replies	Views
Disable TLS 1.0/1.1 via ingress annotations Traefik v2 kubernetes-ingress	3	1174	May 18, 2022
Disable TLSv1/v1.1 globally, running as k8s controller Traefik v2 kubernetes-ingress	2	623	February 24, 2020
How to disable TLS 1.0 and TLS 1.1 in Traefik 1.7.20 Traefik v1 consul , kubernetes-ingress	4	3628	May 4, 2022
Traefik ignores TLSOptions Traefik v2 kubernetes-crd , middleware	1	467	February 26, 2024
Disable TLS 1.0/1.1 and enable TLS 1.3 in Traefik 1.7 with Kubernetes Traefik v1 kubernetes-ingress	0	750	January 19, 2021

Why is this so difficult? disable TLS 1.0 and 1.1 w/ Kubernetes Ingress + Traefik 2.6.3

Related topics