[backport -> release/3.6.x] chore(conf): disable TLSv1.1 and lower in openssl 3.x

changelog/unreleased/kong/disable-TLSv1_1-in-openssl3.yml

@@ -0,0 +1,3 @@
+message: now TLSv1.1 and lower is by default disabled in OpenSSL 3.x
+type: feature
+scope: Configuration

kong.conf.default

@@ -748,6 +748,7 @@
 #ssl_cipher_suite = intermediate # Defines the TLS ciphers served by Nginx.
                                  # Accepted values are `modern`,
                                  # `intermediate`, `old`, `fips` or `custom`.
+                                 # If you want to enable TLSv1.1, this value has to be `old`.
                                  #
                                  # See https://wiki.mozilla.org/Security/Server_Side_TLS
                                  # for detailed descriptions of each cipher
@@ -762,13 +763,15 @@
                                  # If you use DHE ciphers, you must also
                                  # configure the `ssl_dhparam` parameter.
 
-#ssl_protocols = TLSv1.1 TLSv1.2 TLSv1.3
+#ssl_protocols = TLSv1.2 TLSv1.3
                                  # Enables the specified protocols for
                                  # client-side connections. The set of
                                  # supported protocol versions also depends
                                  # on the version of OpenSSL Kong was built
                                  # with. This value is ignored if
                                  # `ssl_cipher_suite` is not `custom`.
+                                 # If you want to enable TLSv1.1, you should
+                                 # set `ssl_cipher_suite` to `old`.
                                  #
                                  # See http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols
 
@@ -1763,7 +1766,7 @@
                                  #
                                  # See https://github.com/openresty/lua-nginx-module#lua_ssl_verify_depth
 
-#lua_ssl_protocols = TLSv1.1 TLSv1.2 TLSv1.3   # Defines the TLS versions supported
+#lua_ssl_protocols = TLSv1.2 TLSv1.3   # Defines the TLS versions supported
                                                # when handshaking with OpenResty's
                                                # TCP cosocket APIs.
                                                #

kong/conf_loader/parse.lua

@@ -432,6 +432,23 @@ local function check_and_parse(conf, opts)
         conf.ssl_dhparam = suite.dhparams
         conf.nginx_http_ssl_dhparam = suite.dhparams
         conf.nginx_stream_ssl_dhparam = suite.dhparams
+
+      else
+        for _, key in ipairs({
+          "nginx_http_ssl_conf_command",
+          "nginx_http_proxy_ssl_conf_command",
+          "nginx_http_lua_ssl_conf_command",
+          "nginx_stream_ssl_conf_command",
+          "nginx_stream_proxy_ssl_conf_command",
+          "nginx_stream_lua_ssl_conf_command"}) do
+
+          if conf[key] then
+            local _, _, seclevel = string.find(conf[key], "@SECLEVEL=(%d+)")
+            if seclevel ~= "0" then
+              ngx.log(ngx.WARN, key, ": Default @SECLEVEL=0 overridden, TLSv1.1 unavailable")
+            end
+          end
+        end
       end
 
     else

kong/templates/kong_defaults.lua

@@ -53,7 +53,7 @@ client_ssl_cert = NONE
 client_ssl_cert_key = NONE
 ssl_cipher_suite = intermediate
 ssl_ciphers = NONE
-ssl_protocols = TLSv1.1 TLSv1.2 TLSv1.3
+ssl_protocols = TLSv1.2 TLSv1.3
 ssl_prefer_server_ciphers = on
 ssl_dhparam = NONE
 ssl_session_tickets = on
@@ -91,9 +91,15 @@ nginx_http_ssl_prefer_server_ciphers = NONE
 nginx_http_ssl_dhparam = NONE
 nginx_http_ssl_session_tickets = NONE
 nginx_http_ssl_session_timeout = NONE
+nginx_http_ssl_conf_command = NONE
+nginx_http_proxy_ssl_conf_command = NONE
+nginx_http_lua_ssl_conf_command = NONE
 nginx_http_lua_regex_match_limit = 100000
 nginx_http_lua_regex_cache_max_entries = 8192
 nginx_http_keepalive_requests = 10000
+nginx_stream_ssl_conf_command = NONE
+nginx_stream_proxy_ssl_conf_command = NONE
+nginx_stream_lua_ssl_conf_command = NONE
 nginx_stream_ssl_protocols = NONE
 nginx_stream_ssl_prefer_server_ciphers = NONE
 nginx_stream_ssl_dhparam = NONE
@@ -170,7 +176,7 @@ router_flavor = traditional_compatible
 lua_socket_pool_size = 256
 lua_ssl_trusted_certificate = system
 lua_ssl_verify_depth = 1
-lua_ssl_protocols = TLSv1.1 TLSv1.2 TLSv1.3
+lua_ssl_protocols = TLSv1.2 TLSv1.3
 lua_package_path = ./?.lua;./?/init.lua;
 lua_package_cpath = NONE
 

kong/templates/nginx_kong.lua

@@ -24,6 +24,11 @@ lua_shared_dict kong_db_cache_miss          12m;
 lua_shared_dict kong_secrets                5m;
 
 underscores_in_headers on;
+> if ssl_cipher_suite == 'old' then
+lua_ssl_conf_command CipherString DEFAULT:@SECLEVEL=0;
+proxy_ssl_conf_command CipherString DEFAULT:@SECLEVEL=0;
+ssl_conf_command CipherString DEFAULT:@SECLEVEL=0;
+> end
 > if ssl_ciphers then
 ssl_ciphers ${{SSL_CIPHERS}};
 > end
@@ -503,7 +508,7 @@ server {
     ssl_certificate     $(admin_gui_ssl_cert[i]);
     ssl_certificate_key $(admin_gui_ssl_cert_key[i]);
 > end
-    ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
+    ssl_protocols TLSv1.2 TLSv1.3;
 > end
 
     client_max_body_size 10m;

kong/templates/nginx_kong_stream.lua

@@ -33,6 +33,12 @@ ssl_ciphers ${{SSL_CIPHERS}};
 $(el.name) $(el.value);
 > end
 
+> if ssl_cipher_suite == 'old' then
+lua_ssl_conf_command CipherString DEFAULT:@SECLEVEL=0;
+proxy_ssl_conf_command CipherString DEFAULT:@SECLEVEL=0;
+ssl_conf_command CipherString DEFAULT:@SECLEVEL=0;
+> end
+
 init_by_lua_block {
 > if test and coverage then
     require 'luacov'

spec/01-unit/03-conf_loader_spec.lua

@@ -1584,19 +1584,19 @@ describe("Configuration loader", function()
           assert.is_nil(err)
           assert.is_table(conf)
 
-          assert.equal("TLSv1.1 TLSv1.2 TLSv1.3", conf.nginx_http_lua_ssl_protocols)
-          assert.equal("TLSv1.1 TLSv1.2 TLSv1.3", conf.nginx_stream_lua_ssl_protocols)
+          assert.equal("TLSv1.2 TLSv1.3", conf.nginx_http_lua_ssl_protocols)
+          assert.equal("TLSv1.2 TLSv1.3", conf.nginx_stream_lua_ssl_protocols)
         end)
 
         it("sets lua_ssl_protocols to user specified value", function()
           local conf, err = conf_loader(nil, {
-            lua_ssl_protocols = "TLSv1.1"
+            lua_ssl_protocols = "TLSv1.2"
           })
           assert.is_nil(err)
           assert.is_table(conf)
 
-          assert.equal("TLSv1.1", conf.nginx_http_lua_ssl_protocols)
-          assert.equal("TLSv1.1", conf.nginx_stream_lua_ssl_protocols)
+          assert.equal("TLSv1.2", conf.nginx_http_lua_ssl_protocols)
+          assert.equal("TLSv1.2", conf.nginx_stream_lua_ssl_protocols)
         end)
 
         it("sets nginx_http_lua_ssl_protocols and nginx_stream_lua_ssl_protocols to different values", function()

spec/01-unit/04-prefix_handler_spec.lua

@@ -1492,7 +1492,7 @@ describe("NGINX conf compiler", function()
       local http_inject_conf = prefix_handler.compile_nginx_http_inject_conf(helpers.test_conf)
       assert.matches("lua_ssl_verify_depth%s+1;", http_inject_conf)
       assert.matches("lua_ssl_trusted_certificate.+;", http_inject_conf)
-      assert.matches("lua_ssl_protocols%s+TLSv1.1 TLSv1.2 TLSv1.3;", http_inject_conf)
+      assert.matches("lua_ssl_protocols%s+TLSv1.2 TLSv1.3;", http_inject_conf)
     end)
     it("sets lua_ssl_verify_depth", function()
       local conf = assert(conf_loader(helpers.test_conf_path, {
@@ -1532,7 +1532,7 @@ describe("NGINX conf compiler", function()
       local stream_inject_conf = prefix_handler.compile_nginx_stream_inject_conf(helpers.test_conf)
       assert.matches("lua_ssl_verify_depth%s+1;", stream_inject_conf)
       assert.matches("lua_ssl_trusted_certificate.+;", stream_inject_conf)
-      assert.matches("lua_ssl_protocols%s+TLSv1.1 TLSv1.2 TLSv1.3;", stream_inject_conf)
+      assert.matches("lua_ssl_protocols%s+TLSv1.2 TLSv1.3;", stream_inject_conf)
     end)
     it("sets lua_ssl_verify_depth", function()
       local conf = assert(conf_loader(helpers.test_conf_path, {

spec/01-unit/28-inject_confs_spec.lua

@@ -18,12 +18,12 @@ lmdb_map_size         2048m;
       local http_conf = fmt([[
 lua_ssl_verify_depth   1;
 lua_ssl_trusted_certificate '%s/servroot/.ca_combined';
-lua_ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
+lua_ssl_protocols TLSv1.2 TLSv1.3;
 ]], cwd)
       local stream_conf = fmt([[
 lua_ssl_verify_depth   1;
 lua_ssl_trusted_certificate '%s/servroot/.ca_combined';
-lua_ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
+lua_ssl_protocols TLSv1.2 TLSv1.3;
 ]], cwd)
 
       local args = {

spec/fixtures/1.2_custom_nginx.template

@@ -98,7 +98,7 @@ http {
         ssl_certificate     $(ssl_cert[i]);
         ssl_certificate_key $(ssl_cert_key[i]);
 > end
-        ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
+        ssl_protocols TLSv1.2 TLSv1.3;
         ssl_certificate_by_lua_block {
             Kong.ssl_certificate()
         }
@@ -200,7 +200,7 @@ http {
         ssl_certificate     $(admin_ssl_cert[i]);
         ssl_certificate_key $(admin_ssl_cert_key[i]);
 > end
-        ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
+        ssl_protocols TLSv1.2 TLSv1.3;
 > end
 
         # injected nginx_admin_* directives
@@ -237,7 +237,7 @@ http {
         ssl_certificate     $(ssl_cert[i]);
         ssl_certificate_key $(ssl_cert_key[i]);
 > end
-        ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
+        ssl_protocols TLSv1.2 TLSv1.3;
 
         set_real_ip_from 127.0.0.1;
 
@@ -557,7 +557,7 @@ stream {
         ssl_certificate     $(ssl_cert[i]);
         ssl_certificate_key $(ssl_cert_key[i]);
 > end
-        ssl_protocols TLSv1.1 TLSv1.2;
+        ssl_protocols TLSv1.2;
 
         content_by_lua_block {
             local sock = assert(ngx.req.socket(true))

spec/fixtures/aws-lambda.lua

@@ -17,7 +17,7 @@ local fixtures = {
           ssl_certificate ${{SSL_CERT}};
           ssl_certificate_key ${{SSL_CERT_KEY}};
 > end
-          ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
+          ssl_protocols TLSv1.2 TLSv1.3;
 
           location ~ "/2015-03-31/functions/(?:[^/])*/invocations" {
               content_by_lua_block {

spec/fixtures/mock_webserver_tpl.lua

@@ -85,7 +85,7 @@ http {
 
     ssl_certificate     ${cert_path}/kong_spec.crt;
     ssl_certificate_key ${cert_path}/kong_spec.key;
-    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_protocols TLSv1.2;
     ssl_ciphers   HIGH:!aNULL:!MD5;
 #end
 # if check_hostname then

spec/fixtures/template_inject/nginx_kong_test_custom_inject_http.lua

@@ -12,7 +12,7 @@ lua_shared_dict kong_mock_upstream_loggers  10m;
         ssl_certificate     $(ssl_cert[i]);
         ssl_certificate_key $(ssl_cert_key[i]);
 > end
-        ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
+        ssl_protocols TLSv1.2 TLSv1.3;
 
         set_real_ip_from 127.0.0.1;
 

spec/fixtures/template_inject/nginx_kong_test_custom_inject_stream.lua

@@ -8,7 +8,7 @@ server {
     ssl_certificate     $(ssl_cert[i]);
     ssl_certificate_key $(ssl_cert_key[i]);
 > end
-    ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
+    ssl_protocols TLSv1.2 TLSv1.3;
 
     content_by_lua_block {
         local sock = assert(ngx.req.socket())
@@ -51,4 +51,4 @@ server {
     proxy_socket_keepalive on;
 }
 > end -- cluster_ssl_tunnel
-]]
+]]

spec/fixtures/template_inject/nginx_kong_test_tcp_echo_server_custom_inject_stream.lua

@@ -7,7 +7,7 @@ server {
     ssl_certificate     $(ssl_cert[i]);
     ssl_certificate_key $(ssl_cert_key[i]);
 > end
-    ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
+    ssl_protocols TLSv1.2 TLSv1.3;
 
     content_by_lua_block {
         local sock = assert(ngx.req.socket())

spec/helpers.lua

@@ -3603,7 +3603,7 @@ end
 --
 --          ssl_certificate ${{SSL_CERT}};
 --          ssl_certificate_key ${{SSL_CERT_KEY}};
---          ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
+--          ssl_protocols TLSv1.2 TLSv1.3;
 --
 --          location ~ "/echobody" {
 --            content_by_lua_block {

spec/helpers/http_mock/template.lua

@@ -128,7 +128,7 @@ $(init)
 # if tls then
     ssl_certificate        ../../spec/fixtures/kong_spec.crt;
     ssl_certificate_key    ../../spec/fixtures/kong_spec.key;
-    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_protocols TLSv1.2;
     ssl_ciphers   HIGH:!aNULL:!MD5;
 
 # end