Please disable TLS 1.0 and 1.1 by default #6756
Labels
area/tls
breaking
kind/enhancement
a new or improved feature.
priority/P2
need to be fixed in the future
status/5-frozen-due-to-age
Projects
Milestone
Comments
ldez
added
area/tls
kind/enhancement
|
What are the reasons to still use 1.0 and 1.1? |
|
For now, how to disable manually using the docker options? This default is planned to be merged? |
|
@dm17 add this to your dynamic configs: |
Every container needs that or just the traefik container? I.e. is this correct: |
|
No, that's for the dynamic configuration. An example: and then add that file to your traefik container |
|
@heitorPB Thanks... I will consider it. I still use zero traefik.yml or treafik.toml files in my config because I wanted it to be all in the docker-compose.yml - however, several features have me considering it. |
|
There is a P/R about this : #8951 |
2 tasks
|
the min version on the client side is TLS1.2 since v2.8.1 #9227 $ curl -k --tls-max 1.0 https://whoami.localhost/ -vv
* Trying ::1:443...
* Connected to whoami.localhost (::1) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* TLSv1.0 (OUT), TLS handshake, Client hello (1):
* TLSv1.0 (IN), TLS handshake, Server hello (2):
* TLSv1.0 (IN), TLS handshake, Certificate (11):
* TLSv1.0 (IN), TLS handshake, Server key exchange (12):
* TLSv1.0 (IN), TLS handshake, Server finished (14):
* TLSv1.0 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.0 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.0 (OUT), TLS handshake, Finished (20):
* TLSv1.0 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1 / ECDHE-RSA-AES128-SHA
* ALPN: server accepted h2
* Server certificate:
* subject: CN=TRAEFIK DEFAULT CERT
* start date: Aug 25 14:06:44 2022 GMT
* expire date: Aug 25 14:06:44 2023 GMT
* issuer: CN=TRAEFIK DEFAULT CERT
* SSL certificate verify result: self signed certificate (18), continuing anyway.
* Using HTTP2, server supports multiplexing
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* h2h3 [:method: GET]
* h2h3 [:path: /]
* h2h3 [:scheme: https]
* h2h3 [:authority: whoami.localhost]
* h2h3 [user-agent: curl/7.84.0]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x55fcffe7a820)
> GET / HTTP/2
> Host: whoami.localhost
> user-agent: curl/7.84.0
> accept: */*
>
* Empty reply from server
* Closing connection 0
* TLSv1.0 (IN), TLS alert, close notify (256):
* TLSv1.0 (OUT), TLS alert, close notify (256):
curl: (52) Empty reply from server$ curl -k --tls-max 1.2 https://whoami.localhost/ -vv
* Trying ::1:443...
* Connected to whoami.localhost (::1) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN: server accepted h2
* Server certificate:
* subject: CN=TRAEFIK DEFAULT CERT
* start date: Aug 25 14:06:44 2022 GMT
* expire date: Aug 25 14:06:44 2023 GMT
* issuer: CN=TRAEFIK DEFAULT CERT
* SSL certificate verify result: self signed certificate (18), continuing anyway.
* Using HTTP2, server supports multiplexing
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* h2h3 [:method: GET]
* h2h3 [:path: /]
* h2h3 [:scheme: https]
* h2h3 [:authority: whoami.localhost]
* h2h3 [user-agent: curl/7.84.0]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x55f9ffa6b820)
> GET / HTTP/2
> Host: whoami.localhost
> user-agent: curl/7.84.0
> accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 200
< content-type: text/plain; charset=utf-8
< date: Thu, 25 Aug 2022 14:08:06 GMT
< content-length: 367
<
Hostname: f374babc1d7e
IP: 127.0.0.1
IP: 192.168.224.3
RemoteAddr: 192.168.224.2:43184
GET / HTTP/1.1
Host: whoami.localhost
User-Agent: curl/7.84.0
Accept: */*
Accept-Encoding: gzip
X-Forwarded-For: 192.168.224.1
X-Forwarded-Host: whoami.localhost
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: 882f3968a783
X-Real-Ip: 192.168.224.1
* Connection #0 to host whoami.localhost left intact |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Using TLS 1.0 or 1.1 is considered insecure these days. It should be used only by those who really know what they're doing. For that reason, I suggest disabling TLS 1.0 and 1.1 by default.
I'm on Traefik 2.2.1.
The text was updated successfully, but these errors were encountered: