diff --git a/changelog/unreleased/kong/disable-TLSv1_1-in-openssl3.yml b/changelog/unreleased/kong/disable-TLSv1_1-in-openssl3.yml new file mode 100644 index 00000000000..aa9305e7731 --- /dev/null +++ b/changelog/unreleased/kong/disable-TLSv1_1-in-openssl3.yml @@ -0,0 +1,3 @@ +message: now TLSv1.1 and lower is by default disabled in OpenSSL 3.x +type: feature +scope: Configuration diff --git a/kong.conf.default b/kong.conf.default index 4710fc68fa5..134859fa03b 100644 --- a/kong.conf.default +++ b/kong.conf.default @@ -735,6 +735,7 @@ #ssl_cipher_suite = intermediate # Defines the TLS ciphers served by Nginx. # Accepted values are `modern`, # `intermediate`, `old`, `fips` or `custom`. + # If you want to enable TLSv1.1, this value has to be `old`. # # See https://wiki.mozilla.org/Security/Server_Side_TLS # for detailed descriptions of each cipher @@ -747,13 +748,15 @@ # This value is ignored if `ssl_cipher_suite` # is not `custom`. -#ssl_protocols = TLSv1.1 TLSv1.2 TLSv1.3 +#ssl_protocols = TLSv1.2 TLSv1.3 # Enables the specified protocols for # client-side connections. The set of # supported protocol versions also depends # on the version of OpenSSL Kong was built # with. This value is ignored if # `ssl_cipher_suite` is not `custom`. + # If you want to enable TLSv1.1, you should + # set `ssl_cipher_suite` to `old`. # # See http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols @@ -1743,7 +1746,7 @@ # # See https://github.com/openresty/lua-nginx-module#lua_ssl_verify_depth -#lua_ssl_protocols = TLSv1.1 TLSv1.2 TLSv1.3 # Defines the TLS versions supported +#lua_ssl_protocols = TLSv1.2 TLSv1.3 # Defines the TLS versions supported # when handshaking with OpenResty's # TCP cosocket APIs. # diff --git a/kong/conf_loader/init.lua b/kong/conf_loader/init.lua index b3bf42fbb92..6dbde41eedf 100644 --- a/kong/conf_loader/init.lua +++ b/kong/conf_loader/init.lua @@ -982,6 +982,22 @@ local function check_and_parse(conf, opts) conf.ssl_dhparam = suite.dhparams conf.nginx_http_ssl_dhparam = suite.dhparams conf.nginx_stream_ssl_dhparam = suite.dhparams + else + for _, key in ipairs({ + "nginx_http_ssl_conf_command", + "nginx_http_proxy_ssl_conf_command", + "nginx_http_lua_ssl_conf_command", + "nginx_stream_ssl_conf_command", + "nginx_stream_proxy_ssl_conf_command", + "nginx_stream_lua_ssl_conf_command"}) do + + if conf[key] then + local _, _, seclevel = string.find(conf[key], "@SECLEVEL=(%d+)") + if seclevel ~= "0" then + ngx.log(ngx.WARN, key, ": Default @SECLEVEL=0 overridden, TLSv1.1 unavailable") + end + end + end end else diff --git a/kong/templates/kong_defaults.lua b/kong/templates/kong_defaults.lua index a76b1330f23..690629f88db 100644 --- a/kong/templates/kong_defaults.lua +++ b/kong/templates/kong_defaults.lua @@ -53,7 +53,7 @@ client_ssl_cert = NONE client_ssl_cert_key = NONE ssl_cipher_suite = intermediate ssl_ciphers = NONE -ssl_protocols = TLSv1.1 TLSv1.2 TLSv1.3 +ssl_protocols = TLSv1.2 TLSv1.3 ssl_prefer_server_ciphers = on ssl_dhparam = NONE ssl_session_tickets = on @@ -91,9 +91,15 @@ nginx_http_ssl_prefer_server_ciphers = NONE nginx_http_ssl_dhparam = NONE nginx_http_ssl_session_tickets = NONE nginx_http_ssl_session_timeout = NONE +nginx_http_ssl_conf_command = NONE +nginx_http_proxy_ssl_conf_command = NONE +nginx_http_lua_ssl_conf_command = NONE nginx_http_lua_regex_match_limit = 100000 nginx_http_lua_regex_cache_max_entries = 8192 nginx_http_keepalive_requests = 10000 +nginx_stream_ssl_conf_command = NONE +nginx_stream_proxy_ssl_conf_command = NONE +nginx_stream_lua_ssl_conf_command = NONE nginx_stream_ssl_protocols = NONE nginx_stream_ssl_prefer_server_ciphers = NONE nginx_stream_ssl_dhparam = NONE @@ -170,7 +176,7 @@ router_flavor = traditional_compatible lua_socket_pool_size = 30 lua_ssl_trusted_certificate = system lua_ssl_verify_depth = 1 -lua_ssl_protocols = TLSv1.1 TLSv1.2 TLSv1.3 +lua_ssl_protocols = TLSv1.2 TLSv1.3 lua_package_path = ./?.lua;./?/init.lua; lua_package_cpath = NONE diff --git a/kong/templates/nginx_kong.lua b/kong/templates/nginx_kong.lua index 57dd46f91a5..c95b1cfcf3b 100644 --- a/kong/templates/nginx_kong.lua +++ b/kong/templates/nginx_kong.lua @@ -24,6 +24,11 @@ lua_shared_dict kong_db_cache_miss 12m; lua_shared_dict kong_secrets 5m; underscores_in_headers on; +> if ssl_cipher_suite == 'old' then +lua_ssl_conf_command CipherString DEFAULT:@SECLEVEL=0; +proxy_ssl_conf_command CipherString DEFAULT:@SECLEVEL=0; +ssl_conf_command CipherString DEFAULT:@SECLEVEL=0; +> end > if ssl_ciphers then ssl_ciphers ${{SSL_CIPHERS}}; > end @@ -462,7 +467,7 @@ server { ssl_certificate $(admin_gui_ssl_cert[i]); ssl_certificate_key $(admin_gui_ssl_cert_key[i]); > end - ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; + ssl_protocols TLSv1.2 TLSv1.3; > end client_max_body_size 10m; diff --git a/kong/templates/nginx_kong_stream.lua b/kong/templates/nginx_kong_stream.lua index 4cad7ebce9d..42ec944a5a9 100644 --- a/kong/templates/nginx_kong_stream.lua +++ b/kong/templates/nginx_kong_stream.lua @@ -33,6 +33,12 @@ ssl_ciphers ${{SSL_CIPHERS}}; $(el.name) $(el.value); > end +> if ssl_cipher_suite == 'old' then +lua_ssl_conf_command CipherString DEFAULT:@SECLEVEL=0; +proxy_ssl_conf_command CipherString DEFAULT:@SECLEVEL=0; +ssl_conf_command CipherString DEFAULT:@SECLEVEL=0; +> end + init_by_lua_block { -- shared dictionaries conflict between stream/http modules. use a prefix. local shared = ngx.shared diff --git a/spec/01-unit/03-conf_loader_spec.lua b/spec/01-unit/03-conf_loader_spec.lua index f18d362ff88..afef36a0eb7 100644 --- a/spec/01-unit/03-conf_loader_spec.lua +++ b/spec/01-unit/03-conf_loader_spec.lua @@ -1540,19 +1540,19 @@ describe("Configuration loader", function() assert.is_nil(err) assert.is_table(conf) - assert.equal("TLSv1.1 TLSv1.2 TLSv1.3", conf.nginx_http_lua_ssl_protocols) - assert.equal("TLSv1.1 TLSv1.2 TLSv1.3", conf.nginx_stream_lua_ssl_protocols) + assert.equal("TLSv1.2 TLSv1.3", conf.nginx_http_lua_ssl_protocols) + assert.equal("TLSv1.2 TLSv1.3", conf.nginx_stream_lua_ssl_protocols) end) it("sets lua_ssl_protocols to user specified value", function() local conf, err = conf_loader(nil, { - lua_ssl_protocols = "TLSv1.1" + lua_ssl_protocols = "TLSv1.2" }) assert.is_nil(err) assert.is_table(conf) - assert.equal("TLSv1.1", conf.nginx_http_lua_ssl_protocols) - assert.equal("TLSv1.1", conf.nginx_stream_lua_ssl_protocols) + assert.equal("TLSv1.2", conf.nginx_http_lua_ssl_protocols) + assert.equal("TLSv1.2", conf.nginx_stream_lua_ssl_protocols) end) it("sets nginx_http_lua_ssl_protocols and nginx_stream_lua_ssl_protocols to different values", function() diff --git a/spec/01-unit/04-prefix_handler_spec.lua b/spec/01-unit/04-prefix_handler_spec.lua index 60292b00ef2..1ab705a2944 100644 --- a/spec/01-unit/04-prefix_handler_spec.lua +++ b/spec/01-unit/04-prefix_handler_spec.lua @@ -1461,7 +1461,7 @@ describe("NGINX conf compiler", function() local http_inject_conf = prefix_handler.compile_nginx_http_inject_conf(helpers.test_conf) assert.matches("lua_ssl_verify_depth%s+1;", http_inject_conf) assert.matches("lua_ssl_trusted_certificate.+;", http_inject_conf) - assert.matches("lua_ssl_protocols%s+TLSv1.1 TLSv1.2 TLSv1.3;", http_inject_conf) + assert.matches("lua_ssl_protocols%s+TLSv1.2 TLSv1.3;", http_inject_conf) end) it("sets lua_ssl_verify_depth", function() local conf = assert(conf_loader(helpers.test_conf_path, { @@ -1501,7 +1501,7 @@ describe("NGINX conf compiler", function() local stream_inject_conf = prefix_handler.compile_nginx_stream_inject_conf(helpers.test_conf) assert.matches("lua_ssl_verify_depth%s+1;", stream_inject_conf) assert.matches("lua_ssl_trusted_certificate.+;", stream_inject_conf) - assert.matches("lua_ssl_protocols%s+TLSv1.1 TLSv1.2 TLSv1.3;", stream_inject_conf) + assert.matches("lua_ssl_protocols%s+TLSv1.2 TLSv1.3;", stream_inject_conf) end) it("sets lua_ssl_verify_depth", function() local conf = assert(conf_loader(helpers.test_conf_path, { diff --git a/spec/01-unit/28-inject_confs_spec.lua b/spec/01-unit/28-inject_confs_spec.lua index ff5ea8afb9f..916a8fe1156 100644 --- a/spec/01-unit/28-inject_confs_spec.lua +++ b/spec/01-unit/28-inject_confs_spec.lua @@ -18,12 +18,12 @@ lmdb_map_size 2048m; local http_conf = fmt([[ lua_ssl_verify_depth 1; lua_ssl_trusted_certificate '%s/servroot/.ca_combined'; -lua_ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; +lua_ssl_protocols TLSv1.2 TLSv1.3; ]], cwd) local stream_conf = fmt([[ lua_ssl_verify_depth 1; lua_ssl_trusted_certificate '%s/servroot/.ca_combined'; -lua_ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; +lua_ssl_protocols TLSv1.2 TLSv1.3; ]], cwd) local args = { diff --git a/spec/fixtures/1.2_custom_nginx.template b/spec/fixtures/1.2_custom_nginx.template index a0079cafe8b..2f3851d919a 100644 --- a/spec/fixtures/1.2_custom_nginx.template +++ b/spec/fixtures/1.2_custom_nginx.template @@ -98,7 +98,7 @@ http { ssl_certificate $(ssl_cert[i]); ssl_certificate_key $(ssl_cert_key[i]); > end - ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; + ssl_protocols TLSv1.2 TLSv1.3; ssl_certificate_by_lua_block { Kong.ssl_certificate() } @@ -200,7 +200,7 @@ http { ssl_certificate $(admin_ssl_cert[i]); ssl_certificate_key $(admin_ssl_cert_key[i]); > end - ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; + ssl_protocols TLSv1.2 TLSv1.3; > end # injected nginx_admin_* directives @@ -237,7 +237,7 @@ http { ssl_certificate $(ssl_cert[i]); ssl_certificate_key $(ssl_cert_key[i]); > end - ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; + ssl_protocols TLSv1.2 TLSv1.3; set_real_ip_from 127.0.0.1; @@ -557,7 +557,7 @@ stream { ssl_certificate $(ssl_cert[i]); ssl_certificate_key $(ssl_cert_key[i]); > end - ssl_protocols TLSv1.1 TLSv1.2; + ssl_protocols TLSv1.2; content_by_lua_block { local sock = assert(ngx.req.socket(true)) diff --git a/spec/fixtures/aws-lambda.lua b/spec/fixtures/aws-lambda.lua index 0fa0dec8096..f7d38c6deee 100644 --- a/spec/fixtures/aws-lambda.lua +++ b/spec/fixtures/aws-lambda.lua @@ -17,7 +17,7 @@ local fixtures = { ssl_certificate ${{SSL_CERT}}; ssl_certificate_key ${{SSL_CERT_KEY}}; > end - ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; + ssl_protocols TLSv1.2 TLSv1.3; location ~ "/2015-03-31/functions/(?:[^/])*/invocations" { content_by_lua_block { diff --git a/spec/fixtures/mock_webserver_tpl.lua b/spec/fixtures/mock_webserver_tpl.lua index c1690cbfb54..f05ae8930ba 100644 --- a/spec/fixtures/mock_webserver_tpl.lua +++ b/spec/fixtures/mock_webserver_tpl.lua @@ -83,7 +83,7 @@ http { #end ssl_certificate ${cert_path}/kong_spec.crt; ssl_certificate_key ${cert_path}/kong_spec.key; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_protocols TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; #end # if check_hostname then diff --git a/spec/helpers.lua b/spec/helpers.lua index 1236a1db18f..9a0d3eb9c01 100644 --- a/spec/helpers.lua +++ b/spec/helpers.lua @@ -3521,7 +3521,7 @@ end -- -- ssl_certificate ${{SSL_CERT}}; -- ssl_certificate_key ${{SSL_CERT_KEY}}; --- ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; +-- ssl_protocols TLSv1.2 TLSv1.3; -- -- location ~ "/echobody" { -- content_by_lua_block { diff --git a/spec/helpers/http_mock/template.lua b/spec/helpers/http_mock/template.lua index 093bc0d334d..1d358172fb9 100644 --- a/spec/helpers/http_mock/template.lua +++ b/spec/helpers/http_mock/template.lua @@ -125,7 +125,7 @@ http { # if tls then ssl_certificate ../../spec/fixtures/kong_spec.crt; ssl_certificate_key ../../spec/fixtures/kong_spec.key; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_protocols TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; # end