Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Traefik suddenly offers SSLv3 #5335

SISheogorath opened this issue Sep 10, 2019 · 5 comments


Copy link

commented Sep 10, 2019

Do you want to request a feature or report a bug?


Did you try using a 1.7.x configuration for the version 2.0?

  • Yes
  • No

What did you do?

I updated from 1.7.13 to version 1.7.14 of Traefik. Then run a TLS check ( and suddenly got a rating downgrade from A+ of B.

What did you expect to see?

I expected to see my original A+ rating to continue to be A+ due to secure defaults.


What did you see instead?

Rating went down from A+ to B because Traefik suddenly starts to support SSLv3.


Output of traefik version: (What version of Traefik are you using?)

$ docker run --rm traefik:v1.7.14 version
Version:      v1.7.14
Codename:     maroilles
Go version:   go1.12.8
Built:        2019-08-14_09:46:58AM
OS/Arch:      linux/amd64
$ docker run --rm traefik:v1.7.13 version
Version:      v1.7.13
Codename:     maroilles
Go version:   go1.11.12
Built:        2019-08-08_04:46:14PM
OS/Arch:      linux/amd64

What is your environment & configuration (arguments, toml, provider, platform, ...)?

version: '2'
    image: traefik:v1.7.14
    cpu_shares: 3072
    mem_limit: 256mb
    memswap_limit: 512mb
    read_only: true
      - dockersocket
      - label=level:s0:c100

    - "80:80"
    - "443:443"

    - "/var/srv/traefik/acme:/etc/traefik/acme"

    command: "-c /dev/null --docker --docker.endpoint=tcp://dockersocket:2375 --acme<redacted> --acme.entryPoint=https --acme.onhostrule --acme.dnsprovider=cloudflare --acme.dnschallenge --entryPoints='Name:http Address::80 Redirect.EntryPoint:https' --entryPoints='Name:https Address::443 Compress:true TLS' --defaultentrypoints=http,https --docker.exposedbydefault=false --insecureskipverify=true"

I don't use an additional toml file for configuration.

I have an idea where it might comes from:

At least this seems to be the latest change to the TLS code which might lead to autodetected SSLv3 support? As there is a cipher overlap between TLS1.0 and SSLv3 around TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA and TLS_RSA_WITH_3DES_EDE_CBC_SHA.

Additional hint: I verified that just by changing the image version back to 1.7.13 the rating went back to A+ and SSLv3 was disabled.


This comment has been minimized.

Copy link

commented Sep 10, 2019

Note that the constants in question are detailed in:

But more of note:

SSLv3 was always disabled by default, other than in Go 1.12,
when it was mistakenly enabled by default server-side.
It is now again disabled by default. (SSLv3 was never supported client-side.)


and the fix:



This comment has been minimized.

Copy link

commented Sep 10, 2019

Thanks @SISheogorath for this report, we will work on getting this resolved ASAP.


This comment has been minimized.

Copy link

commented Sep 10, 2019

Thanks! In the meanwhile I was able to help myself with this patch:

(Adding TLS.minVersion:VersionTLS10)


This comment has been minimized.

Copy link

commented Sep 10, 2019

Cool. That was essentially what I was going to suggest you try, and was going to be my avenue for a patch.

Good to know that it will work.

@dtomcej dtomcej referenced this issue Sep 11, 2019
2 of 2 tasks complete

@traefiker traefiker added this to the 1.7 milestone Sep 12, 2019

@traefiker traefiker closed this Sep 12, 2019


This comment has been minimized.

Copy link

commented Sep 12, 2019

Closed by #5356.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
5 participants
You can’t perform that action at this time.