Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

help request: want to know how to support sslv3 in apisix #11349

Closed
jujiale opened this issue Jun 12, 2024 · 2 comments
Closed

help request: want to know how to support sslv3 in apisix #11349

jujiale opened this issue Jun 12, 2024 · 2 comments

Comments

@jujiale
Copy link
Contributor

jujiale commented Jun 12, 2024

Description

Hello,for some reason,we need to support SSLv3 TLSv1 TLSv1.1 in our apisix, I added TLSv1 and TLSv1.1 ssl_ciphers. after doing this. I test it with my java client(specify TLS version), it works fine,the following is my config:
`

ssl_protocols: "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3"
ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA"

`
the above config works fine. I test TLSv1 TLSv1.1 TLSv1.2 TLSv1.3 , all ok.

in my apisix machine, openssl version is v1.1.1s. I use the following command:
`

# openssl ciphers -v | grep SSLv3
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
SRP-RSA-AES-256-CBC-SHA SSLv3 Kx=SRP      Au=RSA  Enc=AES(256)  Mac=SHA1
SRP-AES-256-CBC-SHA     SSLv3 Kx=SRP      Au=SRP  Enc=AES(256)  Mac=SHA1
RSA-PSK-AES256-CBC-SHA  SSLv3 Kx=RSAPSK   Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-PSK-AES256-CBC-SHA  SSLv3 Kx=DHEPSK   Au=PSK  Enc=AES(256)  Mac=SHA1
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
PSK-AES256-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(256)  Mac=SHA1
SRP-RSA-AES-128-CBC-SHA SSLv3 Kx=SRP      Au=RSA  Enc=AES(128)  Mac=SHA1
SRP-AES-128-CBC-SHA     SSLv3 Kx=SRP      Au=SRP  Enc=AES(128)  Mac=SHA1
RSA-PSK-AES128-CBC-SHA  SSLv3 Kx=RSAPSK   Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-PSK-AES128-CBC-SHA  SSLv3 Kx=DHEPSK   Au=PSK  Enc=AES(128)  Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
PSK-AES128-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(128)  Mac=SHA1

`

then I add the cipher in ssl_ciphers and add protol SSLv3 in ssl_protocols:
`

ssl_protocols: SSLv3
ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA"

`

I added crt and key in apisix ssl model,as below:
image

then I use java client specify SSLv3 ,send a request. the handshake is failed:
image

what more confuse me is when config ssl_protocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3 SSLv3,I use java client specify SSLv3 ,send a request. the packet is indicate using TLSv1, I do not know why.
image

I want to know, how support SSLv3 in apisix, need your help, thanks

Environment

  • APISIX version (run apisix version): 2.15.0
  • Operating system (run uname -a):Linux 3.10.0-1160.71.1.el7.x86_64
  • OpenResty / Nginx version (run openresty -V or nginx -V):openresty/1.21.4.2
  • etcd version, if relevant (run curl http://127.0.0.1:9090/v1/server_info):3.5.0
  • APISIX Dashboard version, if relevant:
  • Plugin runner version, for issues related to plugin runners:
  • LuaRocks version, for installation issues (run luarocks --version):
@kayx23
Copy link
Member

kayx23 commented Jun 13, 2024

ssl_protocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3 SSLv3

No need to specify SSLv3. TLSv1.3 is enough.

@moonming
Copy link
Member

SSLv3 is an outdated and insecure protocol, and it's recommended to use more secure versions like TLSv1.2 or TLSv1.3.

If you must enable SSLv3, you can first test the behavior of NGINX. Apache APISIX is consistent with NGINX in this ability.

@jujiale jujiale closed this as completed Jul 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Apache APISIX backlog
Archived in project
Milestone
No milestone
Development

No branches or pull requests
3 participants
@moonming @kayx23 @jujiale