Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

help request: Setting TLS version not effective #11554

Open
hoo-al opened this issue Sep 6, 2024 · 0 comments
Open

help request: Setting TLS version not effective #11554

hoo-al opened this issue Sep 6, 2024 · 0 comments
Labels
question label for questions asked by users

Comments

@hoo-al
Copy link

hoo-al commented Sep 6, 2024

Description

I installed apisix-2.15.0 using helm in my self built K8S.
There is a setting in the configuration file for sslsprotocols TLSv1.2 TLSv1.3; And you can see corresponding configuration lines in the config. yaml of each pod.
But my website still supports TLSv1.0 and TLSv1.1, and there are no other load balancing or similar devices on the website.
How can I turn off support for TLSv1.0 and TLSv1.1?

server {
listen 0.0.0.0:80 default_server reuseport;
listen [::]:80 default_server reuseport;
listen 0.0.0.0:9443 ssl default_server http2 reuseport;
listen [::]:9443 ssl default_server http2 reuseport;
listen 0.0.0.0:443 ssl default_server http2 reuseport;
listen [::]:443 ssl default_server http2 reuseport;

    server_name _;

    ssl_certificate      cert/ssl_PLACE_HOLDER.crt;
    ssl_certificate_key  cert/ssl_PLACE_HOLDER.key;
    ssl_session_cache    shared:SSL:20m;
    ssl_session_timeout 10m;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;
    ssl_prefer_server_ciphers on;
    ssl_session_tickets off;
    ……
    }

Environment

  • APISIX version (run apisix version):2.15.0
  • Operating system (run uname -a):Linux apisix-skh6n 3.10.0-1160.71.1.el7.x86_64 change: added doc of how to load plugin. #1 SMP Tue Jun 28 15:37:28 UTC 2022 x86_64 Linux
  • OpenResty / Nginx version (run openresty -V or nginx -V):openresty/1.21.4.1
  • etcd version, if relevant (run curl http://127.0.0.1:9090/v1/server_info):
  • APISIX Dashboard version, if relevant:
  • Plugin runner version, for issues related to plugin runners:
  • LuaRocks version, for installation issues (run luarocks --version):
@github-project-automation github-project-automation bot moved this to 📋 Backlog in Apache APISIX backlog Sep 6, 2024
@dosubot dosubot bot added the question label for questions asked by users label Sep 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question label for questions asked by users
Projects
Apache APISIX backlog
Status: 📋 Backlog
Milestone
No milestone
Development

No branches or pull requests
1 participant
@hoo-al