-
Notifications
You must be signed in to change notification settings - Fork 336
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to disable use of TLS version 1.0 #488
Comments
Hey @aye-aye-aye! Thanks for reporting this issue. Making the TLS version configurable will require to:
Would be lovely if you could make a PR 💛 I'll be here to answer any questions. |
I spent some time getting the z2jh Traefik HTTPS setup to be as good as possible, balancing secure HTTPS vs support for older clients. We should be able to just steal that code - https://github.com/jupyterhub/zero-to-jupyterhub-k8s/blob/master/jupyterhub/templates/proxy/autohttps/configmap.yaml#L65. This requires we use traefik 2.0 however... |
I don't think we need to make TLS version configurable - we should just set up for what we count as good defaults, which in this case would use TLS 1.2 and disable some older versions... |
Just as an FYI for anyone that may come across a similar issue, our VM team flagged us on use of an insecure cipher suite related to CVE-2016-2183 even after setting the minimum TLS version to v1.2, In our case we specified several suites in the traefik.toml config as a fix, e.g.
|
Our tljh has been flagged for a few vulnerability issues in a recent Qualys scan. We'd like to disable use of TLS v1.0 and v1.1 and some legacy block ciphers.
From reading the docs, I think we have to adjust the settings in /opt/tljh/state/traefik.toml, but I can't get it to work when following the advice laid out here: https://docs.traefik.io/https/tls/#tls-options
We are using manual HTTPS with an existing self-signed key and cert as described here: http://tljh.jupyter.org/en/latest/howto/admin/https.html#manual-https-with-existing-key-and-certificate
Has anyone any advice on how to disable TLS v1.0-1, or set minimum version as v1.2?
The text was updated successfully, but these errors were encountered: