-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Please disable TLS 1.0 and 1.1 by default #6756
Comments
What are the reasons to still use 1.0 and 1.1? |
For now, how to disable manually using the docker options? This default is planned to be merged? |
@dm17 add this to your dynamic configs:
|
Every container needs that or just the traefik container? I.e. is this correct:
|
No, that's for the dynamic configuration. An example:
and then add that file to your traefik container |
@heitorPB Thanks... I will consider it. I still use zero traefik.yml or treafik.toml files in my config because I wanted it to be all in the docker-compose.yml - however, several features have me considering it. |
There is a P/R about this : #8951 |
the min version on the client side is TLS1.2 since v2.8.1 #9227 $ curl -k --tls-max 1.0 https://whoami.localhost/ -vv
* Trying ::1:443...
* Connected to whoami.localhost (::1) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* TLSv1.0 (OUT), TLS handshake, Client hello (1):
* TLSv1.0 (IN), TLS handshake, Server hello (2):
* TLSv1.0 (IN), TLS handshake, Certificate (11):
* TLSv1.0 (IN), TLS handshake, Server key exchange (12):
* TLSv1.0 (IN), TLS handshake, Server finished (14):
* TLSv1.0 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.0 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.0 (OUT), TLS handshake, Finished (20):
* TLSv1.0 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1 / ECDHE-RSA-AES128-SHA
* ALPN: server accepted h2
* Server certificate:
* subject: CN=TRAEFIK DEFAULT CERT
* start date: Aug 25 14:06:44 2022 GMT
* expire date: Aug 25 14:06:44 2023 GMT
* issuer: CN=TRAEFIK DEFAULT CERT
* SSL certificate verify result: self signed certificate (18), continuing anyway.
* Using HTTP2, server supports multiplexing
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* h2h3 [:method: GET]
* h2h3 [:path: /]
* h2h3 [:scheme: https]
* h2h3 [:authority: whoami.localhost]
* h2h3 [user-agent: curl/7.84.0]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x55fcffe7a820)
> GET / HTTP/2
> Host: whoami.localhost
> user-agent: curl/7.84.0
> accept: */*
>
* Empty reply from server
* Closing connection 0
* TLSv1.0 (IN), TLS alert, close notify (256):
* TLSv1.0 (OUT), TLS alert, close notify (256):
curl: (52) Empty reply from server $ curl -k --tls-max 1.2 https://whoami.localhost/ -vv
* Trying ::1:443...
* Connected to whoami.localhost (::1) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN: server accepted h2
* Server certificate:
* subject: CN=TRAEFIK DEFAULT CERT
* start date: Aug 25 14:06:44 2022 GMT
* expire date: Aug 25 14:06:44 2023 GMT
* issuer: CN=TRAEFIK DEFAULT CERT
* SSL certificate verify result: self signed certificate (18), continuing anyway.
* Using HTTP2, server supports multiplexing
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* h2h3 [:method: GET]
* h2h3 [:path: /]
* h2h3 [:scheme: https]
* h2h3 [:authority: whoami.localhost]
* h2h3 [user-agent: curl/7.84.0]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x55f9ffa6b820)
> GET / HTTP/2
> Host: whoami.localhost
> user-agent: curl/7.84.0
> accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 200
< content-type: text/plain; charset=utf-8
< date: Thu, 25 Aug 2022 14:08:06 GMT
< content-length: 367
<
Hostname: f374babc1d7e
IP: 127.0.0.1
IP: 192.168.224.3
RemoteAddr: 192.168.224.2:43184
GET / HTTP/1.1
Host: whoami.localhost
User-Agent: curl/7.84.0
Accept: */*
Accept-Encoding: gzip
X-Forwarded-For: 192.168.224.1
X-Forwarded-Host: whoami.localhost
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: 882f3968a783
X-Real-Ip: 192.168.224.1
* Connection #0 to host whoami.localhost left intact |
Using TLS 1.0 or 1.1 is considered insecure these days. It should be used only by those who really know what they're doing. For that reason, I suggest disabling TLS 1.0 and 1.1 by default.
I'm on Traefik 2.2.1.
The text was updated successfully, but these errors were encountered: