plan B

Kong · Jan 30, 2024 · 7ba02d4 · 7ba02d4
1 parent 4ec87ad
commit 7ba02d4
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 6 deletions.
diff --git a/kong/conf_loader/parse.lua b/kong/conf_loader/parse.lua
@@ -433,12 +433,19 @@ local function check_and_parse(conf, opts)
         conf.nginx_http_ssl_dhparam = suite.dhparams
         conf.nginx_stream_ssl_dhparam = suite.dhparams
       else
-        conf.nginx_http_ssl_conf_command = "CipherString DEFAULT:@SECLEVEL=0"
-        conf.nginx_http_proxy_ssl_conf_command = "CipherString DEFAULT:@SECLEVEL=0"
-        conf.nginx_http_lua_ssl_conf_command = "CipherString DEFAULT:@SECLEVEL=0"
-        conf.nginx_stream_ssl_conf_command = "CipherString DEFAULT:@SECLEVEL=0"
-        conf.nginx_stream_proxy_ssl_conf_command = "CipherString DEFAULT:@SECLEVEL=0"
-        conf.nginx_stream_lua_ssl_conf_command = "CipherString DEFAULT:@SECLEVEL=0"
+        for _, key in ipairs({
+          "nginx_http_ssl_conf_command",
+          "nginx_http_proxy_ssl_conf_command",
+          "nginx_http_lua_ssl_conf_command",
+          "nginx_stream_ssl_conf_command",
+          "nginx_stream_proxy_ssl_conf_command",
+          "nginx_stream_lua_ssl_conf_command"}) do
+
+          local _, _, seclevel = string.find(conf[key] or "", "@SECLEVEL=(%d+)")
+          if conf[key] and seclevel ~= "0" then
+            ngx.log(ngx.WARN, key .. ": Default @SECLEVEL=0 overridden, TLSv1.1 unavailable")
+          end
+        end
       end
 
     else

diff --git a/kong/templates/nginx_kong.lua b/kong/templates/nginx_kong.lua
@@ -24,6 +24,11 @@ lua_shared_dict kong_db_cache_miss          12m;
 lua_shared_dict kong_secrets                5m;
 
 underscores_in_headers on;
+> if ssl_cipher_suite == 'old' then
+lua_ssl_conf_command CipherString DEFAULT:@SECLEVEL=0;
+proxy_ssl_conf_command CipherString DEFAULT:@SECLEVEL=0;
+ssl_conf_command CipherString DEFAULT:@SECLEVEL=0;
+> end
 > if ssl_ciphers then
 ssl_ciphers ${{SSL_CIPHERS}};
 > end

diff --git a/kong/templates/nginx_kong_stream.lua b/kong/templates/nginx_kong_stream.lua
@@ -33,6 +33,12 @@ ssl_ciphers ${{SSL_CIPHERS}};
 $(el.name) $(el.value);
 > end
 
+> if ssl_cipher_suite == 'old' then
+lua_ssl_conf_command CipherString DEFAULT:@SECLEVEL=0;
+proxy_ssl_conf_command CipherString DEFAULT:@SECLEVEL=0;
+ssl_conf_command CipherString DEFAULT:@SECLEVEL=0;
+> end
+
 init_by_lua_block {
 > if test and coverage then
     require 'luacov'