Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[backport -> release/3.4.x] chore(conf): disable TLSv1.1 and lower in openssl 3.x (#12420) #12578

Merged
merged 1 commit into from
Feb 19, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions changelog/unreleased/kong/disable-TLSv1_1-in-openssl3.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
message: now TLSv1.1 and lower is by default disabled in OpenSSL 3.x
type: feature
scope: Configuration
7 changes: 5 additions & 2 deletions kong.conf.default
Original file line number Diff line number Diff line change
Expand Up @@ -735,6 +735,7 @@
#ssl_cipher_suite = intermediate # Defines the TLS ciphers served by Nginx.
# Accepted values are `modern`,
# `intermediate`, `old`, `fips` or `custom`.
# If you want to enable TLSv1.1, this value has to be `old`.
#
# See https://wiki.mozilla.org/Security/Server_Side_TLS
# for detailed descriptions of each cipher
Expand All @@ -747,13 +748,15 @@
# This value is ignored if `ssl_cipher_suite`
# is not `custom`.

#ssl_protocols = TLSv1.1 TLSv1.2 TLSv1.3
#ssl_protocols = TLSv1.2 TLSv1.3
# Enables the specified protocols for
# client-side connections. The set of
# supported protocol versions also depends
# on the version of OpenSSL Kong was built
# with. This value is ignored if
# `ssl_cipher_suite` is not `custom`.
# If you want to enable TLSv1.1, you should
# set `ssl_cipher_suite` to `old`.
#
# See http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols

Expand Down Expand Up @@ -1743,7 +1746,7 @@
#
# See https://github.com/openresty/lua-nginx-module#lua_ssl_verify_depth

#lua_ssl_protocols = TLSv1.1 TLSv1.2 TLSv1.3 # Defines the TLS versions supported
#lua_ssl_protocols = TLSv1.2 TLSv1.3 # Defines the TLS versions supported
# when handshaking with OpenResty's
# TCP cosocket APIs.
#
Expand Down
16 changes: 16 additions & 0 deletions kong/conf_loader/init.lua
Original file line number Diff line number Diff line change
Expand Up @@ -982,6 +982,22 @@ local function check_and_parse(conf, opts)
conf.ssl_dhparam = suite.dhparams
conf.nginx_http_ssl_dhparam = suite.dhparams
conf.nginx_stream_ssl_dhparam = suite.dhparams
else
for _, key in ipairs({
"nginx_http_ssl_conf_command",
"nginx_http_proxy_ssl_conf_command",
"nginx_http_lua_ssl_conf_command",
"nginx_stream_ssl_conf_command",
"nginx_stream_proxy_ssl_conf_command",
"nginx_stream_lua_ssl_conf_command"}) do

if conf[key] then
local _, _, seclevel = string.find(conf[key], "@SECLEVEL=(%d+)")
if seclevel ~= "0" then
ngx.log(ngx.WARN, key, ": Default @SECLEVEL=0 overridden, TLSv1.1 unavailable")
end
end
end
end

else
Expand Down
10 changes: 8 additions & 2 deletions kong/templates/kong_defaults.lua
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ client_ssl_cert = NONE
client_ssl_cert_key = NONE
ssl_cipher_suite = intermediate
ssl_ciphers = NONE
ssl_protocols = TLSv1.1 TLSv1.2 TLSv1.3
ssl_protocols = TLSv1.2 TLSv1.3
ssl_prefer_server_ciphers = on
ssl_dhparam = NONE
ssl_session_tickets = on
Expand Down Expand Up @@ -91,9 +91,15 @@ nginx_http_ssl_prefer_server_ciphers = NONE
nginx_http_ssl_dhparam = NONE
nginx_http_ssl_session_tickets = NONE
nginx_http_ssl_session_timeout = NONE
nginx_http_ssl_conf_command = NONE
nginx_http_proxy_ssl_conf_command = NONE
nginx_http_lua_ssl_conf_command = NONE
nginx_http_lua_regex_match_limit = 100000
nginx_http_lua_regex_cache_max_entries = 8192
nginx_http_keepalive_requests = 10000
nginx_stream_ssl_conf_command = NONE
nginx_stream_proxy_ssl_conf_command = NONE
nginx_stream_lua_ssl_conf_command = NONE
nginx_stream_ssl_protocols = NONE
nginx_stream_ssl_prefer_server_ciphers = NONE
nginx_stream_ssl_dhparam = NONE
Expand Down Expand Up @@ -170,7 +176,7 @@ router_flavor = traditional_compatible
lua_socket_pool_size = 30
lua_ssl_trusted_certificate = system
lua_ssl_verify_depth = 1
lua_ssl_protocols = TLSv1.1 TLSv1.2 TLSv1.3
lua_ssl_protocols = TLSv1.2 TLSv1.3
lua_package_path = ./?.lua;./?/init.lua;
lua_package_cpath = NONE

Expand Down
7 changes: 6 additions & 1 deletion kong/templates/nginx_kong.lua
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,11 @@ lua_shared_dict kong_db_cache_miss 12m;
lua_shared_dict kong_secrets 5m;

underscores_in_headers on;
> if ssl_cipher_suite == 'old' then
lua_ssl_conf_command CipherString DEFAULT:@SECLEVEL=0;
proxy_ssl_conf_command CipherString DEFAULT:@SECLEVEL=0;
ssl_conf_command CipherString DEFAULT:@SECLEVEL=0;
> end
> if ssl_ciphers then
ssl_ciphers ${{SSL_CIPHERS}};
> end
Expand Down Expand Up @@ -462,7 +467,7 @@ server {
ssl_certificate $(admin_gui_ssl_cert[i]);
ssl_certificate_key $(admin_gui_ssl_cert_key[i]);
> end
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_protocols TLSv1.2 TLSv1.3;
> end

client_max_body_size 10m;
Expand Down
6 changes: 6 additions & 0 deletions kong/templates/nginx_kong_stream.lua
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,12 @@ ssl_ciphers ${{SSL_CIPHERS}};
$(el.name) $(el.value);
> end

> if ssl_cipher_suite == 'old' then
lua_ssl_conf_command CipherString DEFAULT:@SECLEVEL=0;
proxy_ssl_conf_command CipherString DEFAULT:@SECLEVEL=0;
ssl_conf_command CipherString DEFAULT:@SECLEVEL=0;
> end

init_by_lua_block {
-- shared dictionaries conflict between stream/http modules. use a prefix.
local shared = ngx.shared
Expand Down
10 changes: 5 additions & 5 deletions spec/01-unit/03-conf_loader_spec.lua
Original file line number Diff line number Diff line change
Expand Up @@ -1540,19 +1540,19 @@ describe("Configuration loader", function()
assert.is_nil(err)
assert.is_table(conf)

assert.equal("TLSv1.1 TLSv1.2 TLSv1.3", conf.nginx_http_lua_ssl_protocols)
assert.equal("TLSv1.1 TLSv1.2 TLSv1.3", conf.nginx_stream_lua_ssl_protocols)
assert.equal("TLSv1.2 TLSv1.3", conf.nginx_http_lua_ssl_protocols)
assert.equal("TLSv1.2 TLSv1.3", conf.nginx_stream_lua_ssl_protocols)
end)

it("sets lua_ssl_protocols to user specified value", function()
local conf, err = conf_loader(nil, {
lua_ssl_protocols = "TLSv1.1"
lua_ssl_protocols = "TLSv1.2"
})
assert.is_nil(err)
assert.is_table(conf)

assert.equal("TLSv1.1", conf.nginx_http_lua_ssl_protocols)
assert.equal("TLSv1.1", conf.nginx_stream_lua_ssl_protocols)
assert.equal("TLSv1.2", conf.nginx_http_lua_ssl_protocols)
assert.equal("TLSv1.2", conf.nginx_stream_lua_ssl_protocols)
end)

it("sets nginx_http_lua_ssl_protocols and nginx_stream_lua_ssl_protocols to different values", function()
Expand Down
4 changes: 2 additions & 2 deletions spec/01-unit/04-prefix_handler_spec.lua
Original file line number Diff line number Diff line change
Expand Up @@ -1461,7 +1461,7 @@ describe("NGINX conf compiler", function()
local http_inject_conf = prefix_handler.compile_nginx_http_inject_conf(helpers.test_conf)
assert.matches("lua_ssl_verify_depth%s+1;", http_inject_conf)
assert.matches("lua_ssl_trusted_certificate.+;", http_inject_conf)
assert.matches("lua_ssl_protocols%s+TLSv1.1 TLSv1.2 TLSv1.3;", http_inject_conf)
assert.matches("lua_ssl_protocols%s+TLSv1.2 TLSv1.3;", http_inject_conf)
end)
it("sets lua_ssl_verify_depth", function()
local conf = assert(conf_loader(helpers.test_conf_path, {
Expand Down Expand Up @@ -1501,7 +1501,7 @@ describe("NGINX conf compiler", function()
local stream_inject_conf = prefix_handler.compile_nginx_stream_inject_conf(helpers.test_conf)
assert.matches("lua_ssl_verify_depth%s+1;", stream_inject_conf)
assert.matches("lua_ssl_trusted_certificate.+;", stream_inject_conf)
assert.matches("lua_ssl_protocols%s+TLSv1.1 TLSv1.2 TLSv1.3;", stream_inject_conf)
assert.matches("lua_ssl_protocols%s+TLSv1.2 TLSv1.3;", stream_inject_conf)
end)
it("sets lua_ssl_verify_depth", function()
local conf = assert(conf_loader(helpers.test_conf_path, {
Expand Down
4 changes: 2 additions & 2 deletions spec/01-unit/28-inject_confs_spec.lua
Original file line number Diff line number Diff line change
Expand Up @@ -18,12 +18,12 @@ lmdb_map_size 2048m;
local http_conf = fmt([[
lua_ssl_verify_depth 1;
lua_ssl_trusted_certificate '%s/servroot/.ca_combined';
lua_ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
lua_ssl_protocols TLSv1.2 TLSv1.3;
]], cwd)
local stream_conf = fmt([[
lua_ssl_verify_depth 1;
lua_ssl_trusted_certificate '%s/servroot/.ca_combined';
lua_ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
lua_ssl_protocols TLSv1.2 TLSv1.3;
]], cwd)

local args = {
Expand Down
8 changes: 4 additions & 4 deletions spec/fixtures/1.2_custom_nginx.template
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,7 @@ http {
ssl_certificate $(ssl_cert[i]);
ssl_certificate_key $(ssl_cert_key[i]);
> end
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_certificate_by_lua_block {
Kong.ssl_certificate()
}
Expand Down Expand Up @@ -200,7 +200,7 @@ http {
ssl_certificate $(admin_ssl_cert[i]);
ssl_certificate_key $(admin_ssl_cert_key[i]);
> end
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_protocols TLSv1.2 TLSv1.3;
> end

# injected nginx_admin_* directives
Expand Down Expand Up @@ -237,7 +237,7 @@ http {
ssl_certificate $(ssl_cert[i]);
ssl_certificate_key $(ssl_cert_key[i]);
> end
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_protocols TLSv1.2 TLSv1.3;

set_real_ip_from 127.0.0.1;

Expand Down Expand Up @@ -557,7 +557,7 @@ stream {
ssl_certificate $(ssl_cert[i]);
ssl_certificate_key $(ssl_cert_key[i]);
> end
ssl_protocols TLSv1.1 TLSv1.2;
ssl_protocols TLSv1.2;

content_by_lua_block {
local sock = assert(ngx.req.socket(true))
Expand Down
2 changes: 1 addition & 1 deletion spec/fixtures/aws-lambda.lua
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ local fixtures = {
ssl_certificate ${{SSL_CERT}};
ssl_certificate_key ${{SSL_CERT_KEY}};
> end
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_protocols TLSv1.2 TLSv1.3;

location ~ "/2015-03-31/functions/(?:[^/])*/invocations" {
content_by_lua_block {
Expand Down
2 changes: 1 addition & 1 deletion spec/fixtures/mock_webserver_tpl.lua
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,7 @@ http {
#end
ssl_certificate ${cert_path}/kong_spec.crt;
ssl_certificate_key ${cert_path}/kong_spec.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_protocols TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
#end
# if check_hostname then
Expand Down
2 changes: 1 addition & 1 deletion spec/helpers.lua
Original file line number Diff line number Diff line change
Expand Up @@ -3521,7 +3521,7 @@ end
--
-- ssl_certificate ${{SSL_CERT}};
-- ssl_certificate_key ${{SSL_CERT_KEY}};
-- ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
-- ssl_protocols TLSv1.2 TLSv1.3;
--
-- location ~ "/echobody" {
-- content_by_lua_block {
Expand Down
2 changes: 1 addition & 1 deletion spec/helpers/http_mock/template.lua
Original file line number Diff line number Diff line change
Expand Up @@ -125,7 +125,7 @@ http {
# if tls then
ssl_certificate ../../spec/fixtures/kong_spec.crt;
ssl_certificate_key ../../spec/fixtures/kong_spec.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_protocols TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;

# end
Expand Down
Loading