Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(ssl) requiring upgrade to more secure TLS/1.2 #2119

Merged
merged 1 commit into from
Feb 27, 2017
Merged

chore(ssl) requiring upgrade to more secure TLS/1.2 #2119

merged 1 commit into from
Feb 27, 2017

Conversation

subnetmarco
Copy link
Member

Full changelog

  • Dropping support for unsecure TLS/1.0 and defaulting Upgrade responses to TLS/1.2.

thibaultcha
thibaultcha reviewed Feb 22, 2017
View reviewed changes
kong/core/handler.lua
@@ -86,7 +86,7 @@ return {

if api.https_only and not utils.check_https(api.http_if_terminated) then
ngx.header["connection"] = "Upgrade"
ngx.header["upgrade"] = "TLS/1.0, HTTP/1.1"
ngx.header["upgrade"] = "TLS/1.2, HTTP/1.1"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't this be TLS/1.2, TLS/1.1 rather?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As far as I understand, the Upgrade header recommends a protocol that the client "may" use, and we recommend TLS/1.2. He can still use TLS/1.1 since it's supported by the server, but we would still recommend the latest one.

thibaultcha
thibaultcha reviewed Feb 22, 2017
View reviewed changes
Copy link
Member

@thibaultcha thibaultcha left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only the Upgrade header thing to discuss I think.

feat(ssl) drop TLS/1.0 + upgrade to more secure TLS/1.2

* Nginx `ssl_protocols` directive now only allows TLS/1.1 and TLS/1.2
* `https_only` APIs now ask for TLS/1.2 upgrade instead of TLS/1.1

@subnetmarco subnetmarco merged commit 24cb2ba into release/0.10.0 Feb 27, 2017
@subnetmarco subnetmarco deleted the chore/ssl-upgrade branch February 27, 2017 17:52
@k3rn3l-p4n1c
Copy link

I've just migrated from version 0.9 to 0.10 and realize Android 4.2 is not supporting TLS/1.1. Now clients with this version can not connect to the server. Can I enable TLS/1.0 support or I have to downgrade kong?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thibaultcha thibaultcha thibaultcha left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@subnetmarco @k3rn3l-p4n1c @thibaultcha