chore(conf): disable TLSv1.1 and lower in openssl 3.x (#12420)

- remove unsupported TLS versions from default configurations. - support communication with old versions of OpenSSL clients using TLSv1.1. KAG-3259 (cherry picked from commit 2516c50)
Kong · Feb 19, 2024 · 6ebd34a · 6ebd34a
1 parent 72379e9
commit 6ebd34a
Show file tree

Hide file tree

Showing 14 changed files with 61 additions and 22 deletions.
diff --git a/changelog/unreleased/kong/disable-TLSv1_1-in-openssl3.yml b/changelog/unreleased/kong/disable-TLSv1_1-in-openssl3.yml
@@ -0,0 +1,3 @@
+message: now TLSv1.1 and lower is by default disabled in OpenSSL 3.x
+type: feature
+scope: Configuration
diff --git a/kong.conf.default b/kong.conf.default
@@ -735,6 +735,7 @@
 #ssl_cipher_suite = intermediate # Defines the TLS ciphers served by Nginx.
                                  # Accepted values are `modern`,
                                  # `intermediate`, `old`, `fips` or `custom`.
+                                 # If you want to enable TLSv1.1, this value has to be `old`.
                                  #
                                  # See https://wiki.mozilla.org/Security/Server_Side_TLS
                                  # for detailed descriptions of each cipher
@@ -747,13 +748,15 @@
                                  # This value is ignored if `ssl_cipher_suite`
                                  # is not `custom`.
 
-#ssl_protocols = TLSv1.1 TLSv1.2 TLSv1.3
+#ssl_protocols = TLSv1.2 TLSv1.3
                                  # Enables the specified protocols for
                                  # client-side connections. The set of
                                  # supported protocol versions also depends
                                  # on the version of OpenSSL Kong was built
                                  # with. This value is ignored if
                                  # `ssl_cipher_suite` is not `custom`.
+                                 # If you want to enable TLSv1.1, you should
+                                 # set `ssl_cipher_suite` to `old`.
                                  #
                                  # See http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols
 
@@ -1743,7 +1746,7 @@
                                  #
                                  # See https://github.com/openresty/lua-nginx-module#lua_ssl_verify_depth
 
-#lua_ssl_protocols = TLSv1.1 TLSv1.2 TLSv1.3   # Defines the TLS versions supported
+#lua_ssl_protocols = TLSv1.2 TLSv1.3   # Defines the TLS versions supported
                                                # when handshaking with OpenResty's
                                                # TCP cosocket APIs.
                                                #

diff --git a/kong/conf_loader/init.lua b/kong/conf_loader/init.lua
@@ -982,6 +982,22 @@ local function check_and_parse(conf, opts)
         conf.ssl_dhparam = suite.dhparams
         conf.nginx_http_ssl_dhparam = suite.dhparams
         conf.nginx_stream_ssl_dhparam = suite.dhparams
+      else
+        for _, key in ipairs({
+          "nginx_http_ssl_conf_command",
+          "nginx_http_proxy_ssl_conf_command",
+          "nginx_http_lua_ssl_conf_command",
+          "nginx_stream_ssl_conf_command",
+          "nginx_stream_proxy_ssl_conf_command",
+          "nginx_stream_lua_ssl_conf_command"}) do
+
+          if conf[key] then
+            local _, _, seclevel = string.find(conf[key], "@SECLEVEL=(%d+)")
+            if seclevel ~= "0" then
+              ngx.log(ngx.WARN, key, ": Default @SECLEVEL=0 overridden, TLSv1.1 unavailable")
+            end
+          end
+        end
       end
 
     else

diff --git a/kong/templates/kong_defaults.lua b/kong/templates/kong_defaults.lua
@@ -53,7 +53,7 @@ client_ssl_cert = NONE
 client_ssl_cert_key = NONE
 ssl_cipher_suite = intermediate
 ssl_ciphers = NONE
-ssl_protocols = TLSv1.1 TLSv1.2 TLSv1.3
+ssl_protocols = TLSv1.2 TLSv1.3
 ssl_prefer_server_ciphers = on
 ssl_dhparam = NONE
 ssl_session_tickets = on
@@ -91,9 +91,15 @@ nginx_http_ssl_prefer_server_ciphers = NONE
 nginx_http_ssl_dhparam = NONE
 nginx_http_ssl_session_tickets = NONE
 nginx_http_ssl_session_timeout = NONE
+nginx_http_ssl_conf_command = NONE
+nginx_http_proxy_ssl_conf_command = NONE
+nginx_http_lua_ssl_conf_command = NONE
 nginx_http_lua_regex_match_limit = 100000
 nginx_http_lua_regex_cache_max_entries = 8192
 nginx_http_keepalive_requests = 10000
+nginx_stream_ssl_conf_command = NONE
+nginx_stream_proxy_ssl_conf_command = NONE
+nginx_stream_lua_ssl_conf_command = NONE
 nginx_stream_ssl_protocols = NONE
 nginx_stream_ssl_prefer_server_ciphers = NONE
 nginx_stream_ssl_dhparam = NONE
@@ -170,7 +176,7 @@ router_flavor = traditional_compatible
 lua_socket_pool_size = 30
 lua_ssl_trusted_certificate = system
 lua_ssl_verify_depth = 1
-lua_ssl_protocols = TLSv1.1 TLSv1.2 TLSv1.3
+lua_ssl_protocols = TLSv1.2 TLSv1.3
 lua_package_path = ./?.lua;./?/init.lua;
 lua_package_cpath = NONE
 

diff --git a/kong/templates/nginx_kong.lua b/kong/templates/nginx_kong.lua
@@ -24,6 +24,11 @@ lua_shared_dict kong_db_cache_miss          12m;
 lua_shared_dict kong_secrets                5m;
 
 underscores_in_headers on;
+> if ssl_cipher_suite == 'old' then
+lua_ssl_conf_command CipherString DEFAULT:@SECLEVEL=0;
+proxy_ssl_conf_command CipherString DEFAULT:@SECLEVEL=0;
+ssl_conf_command CipherString DEFAULT:@SECLEVEL=0;
+> end
 > if ssl_ciphers then
 ssl_ciphers ${{SSL_CIPHERS}};
 > end
@@ -462,7 +467,7 @@ server {
     ssl_certificate     $(admin_gui_ssl_cert[i]);
     ssl_certificate_key $(admin_gui_ssl_cert_key[i]);
 > end
-    ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
+    ssl_protocols TLSv1.2 TLSv1.3;
 > end
 
     client_max_body_size 10m;

diff --git a/kong/templates/nginx_kong_stream.lua b/kong/templates/nginx_kong_stream.lua
@@ -33,6 +33,12 @@ ssl_ciphers ${{SSL_CIPHERS}};
 $(el.name) $(el.value);
 > end
 
+> if ssl_cipher_suite == 'old' then
+lua_ssl_conf_command CipherString DEFAULT:@SECLEVEL=0;
+proxy_ssl_conf_command CipherString DEFAULT:@SECLEVEL=0;
+ssl_conf_command CipherString DEFAULT:@SECLEVEL=0;
+> end
+
 init_by_lua_block {
     -- shared dictionaries conflict between stream/http modules. use a prefix.
     local shared = ngx.shared

diff --git a/spec/01-unit/03-conf_loader_spec.lua b/spec/01-unit/03-conf_loader_spec.lua
@@ -1540,19 +1540,19 @@ describe("Configuration loader", function()
           assert.is_nil(err)
           assert.is_table(conf)
 
-          assert.equal("TLSv1.1 TLSv1.2 TLSv1.3", conf.nginx_http_lua_ssl_protocols)
-          assert.equal("TLSv1.1 TLSv1.2 TLSv1.3", conf.nginx_stream_lua_ssl_protocols)
+          assert.equal("TLSv1.2 TLSv1.3", conf.nginx_http_lua_ssl_protocols)
+          assert.equal("TLSv1.2 TLSv1.3", conf.nginx_stream_lua_ssl_protocols)
         end)
 
         it("sets lua_ssl_protocols to user specified value", function()
           local conf, err = conf_loader(nil, {
-            lua_ssl_protocols = "TLSv1.1"
+            lua_ssl_protocols = "TLSv1.2"
           })
           assert.is_nil(err)
           assert.is_table(conf)
 
-          assert.equal("TLSv1.1", conf.nginx_http_lua_ssl_protocols)
-          assert.equal("TLSv1.1", conf.nginx_stream_lua_ssl_protocols)
+          assert.equal("TLSv1.2", conf.nginx_http_lua_ssl_protocols)
+          assert.equal("TLSv1.2", conf.nginx_stream_lua_ssl_protocols)
         end)
 
         it("sets nginx_http_lua_ssl_protocols and nginx_stream_lua_ssl_protocols to different values", function()

diff --git a/spec/01-unit/04-prefix_handler_spec.lua b/spec/01-unit/04-prefix_handler_spec.lua
@@ -1461,7 +1461,7 @@ describe("NGINX conf compiler", function()
       local http_inject_conf = prefix_handler.compile_nginx_http_inject_conf(helpers.test_conf)
       assert.matches("lua_ssl_verify_depth%s+1;", http_inject_conf)
       assert.matches("lua_ssl_trusted_certificate.+;", http_inject_conf)
-      assert.matches("lua_ssl_protocols%s+TLSv1.1 TLSv1.2 TLSv1.3;", http_inject_conf)
+      assert.matches("lua_ssl_protocols%s+TLSv1.2 TLSv1.3;", http_inject_conf)
     end)
     it("sets lua_ssl_verify_depth", function()
       local conf = assert(conf_loader(helpers.test_conf_path, {
@@ -1501,7 +1501,7 @@ describe("NGINX conf compiler", function()
       local stream_inject_conf = prefix_handler.compile_nginx_stream_inject_conf(helpers.test_conf)
       assert.matches("lua_ssl_verify_depth%s+1;", stream_inject_conf)
       assert.matches("lua_ssl_trusted_certificate.+;", stream_inject_conf)
-      assert.matches("lua_ssl_protocols%s+TLSv1.1 TLSv1.2 TLSv1.3;", stream_inject_conf)
+      assert.matches("lua_ssl_protocols%s+TLSv1.2 TLSv1.3;", stream_inject_conf)
     end)
     it("sets lua_ssl_verify_depth", function()
       local conf = assert(conf_loader(helpers.test_conf_path, {

diff --git a/spec/01-unit/28-inject_confs_spec.lua b/spec/01-unit/28-inject_confs_spec.lua
@@ -18,12 +18,12 @@ lmdb_map_size         2048m;
       local http_conf = fmt([[
 lua_ssl_verify_depth   1;
 lua_ssl_trusted_certificate '%s/servroot/.ca_combined';
-lua_ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
+lua_ssl_protocols TLSv1.2 TLSv1.3;
 ]], cwd)
       local stream_conf = fmt([[
 lua_ssl_verify_depth   1;
 lua_ssl_trusted_certificate '%s/servroot/.ca_combined';
-lua_ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
+lua_ssl_protocols TLSv1.2 TLSv1.3;
 ]], cwd)
 
       local args = {

diff --git a/spec/fixtures/1.2_custom_nginx.template b/spec/fixtures/1.2_custom_nginx.template
@@ -98,7 +98,7 @@ http {
         ssl_certificate     $(ssl_cert[i]);
         ssl_certificate_key $(ssl_cert_key[i]);
 > end
-        ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
+        ssl_protocols TLSv1.2 TLSv1.3;
         ssl_certificate_by_lua_block {
             Kong.ssl_certificate()
         }
@@ -200,7 +200,7 @@ http {
         ssl_certificate     $(admin_ssl_cert[i]);
         ssl_certificate_key $(admin_ssl_cert_key[i]);
 > end
-        ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
+        ssl_protocols TLSv1.2 TLSv1.3;
 > end
 
         # injected nginx_admin_* directives
@@ -237,7 +237,7 @@ http {
         ssl_certificate     $(ssl_cert[i]);
         ssl_certificate_key $(ssl_cert_key[i]);
 > end
-        ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
+        ssl_protocols TLSv1.2 TLSv1.3;
 
         set_real_ip_from 127.0.0.1;
 
@@ -557,7 +557,7 @@ stream {
         ssl_certificate     $(ssl_cert[i]);
         ssl_certificate_key $(ssl_cert_key[i]);
 > end
-        ssl_protocols TLSv1.1 TLSv1.2;
+        ssl_protocols TLSv1.2;
 
         content_by_lua_block {
             local sock = assert(ngx.req.socket(true))

diff --git a/spec/fixtures/aws-lambda.lua b/spec/fixtures/aws-lambda.lua
@@ -17,7 +17,7 @@ local fixtures = {
           ssl_certificate ${{SSL_CERT}};
           ssl_certificate_key ${{SSL_CERT_KEY}};
 > end
-          ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
+          ssl_protocols TLSv1.2 TLSv1.3;
 
           location ~ "/2015-03-31/functions/(?:[^/])*/invocations" {
               content_by_lua_block {

diff --git a/spec/fixtures/mock_webserver_tpl.lua b/spec/fixtures/mock_webserver_tpl.lua
@@ -83,7 +83,7 @@ http {
 #end
     ssl_certificate     ${cert_path}/kong_spec.crt;
     ssl_certificate_key ${cert_path}/kong_spec.key;
-    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_protocols TLSv1.2;
     ssl_ciphers   HIGH:!aNULL:!MD5;
 #end
 # if check_hostname then

diff --git a/spec/helpers.lua b/spec/helpers.lua
@@ -3521,7 +3521,7 @@ end
 --
 --          ssl_certificate ${{SSL_CERT}};
 --          ssl_certificate_key ${{SSL_CERT_KEY}};
---          ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
+--          ssl_protocols TLSv1.2 TLSv1.3;
 --
 --          location ~ "/echobody" {
 --            content_by_lua_block {

diff --git a/spec/helpers/http_mock/template.lua b/spec/helpers/http_mock/template.lua
@@ -125,7 +125,7 @@ http {
 # if tls then
     ssl_certificate        ../../spec/fixtures/kong_spec.crt;
     ssl_certificate_key    ../../spec/fixtures/kong_spec.key;
-    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_protocols TLSv1.2;
     ssl_ciphers   HIGH:!aNULL:!MD5;
 
 # end