Remove some SSL ciphers from Certificate

Help
1

Hi

I need help disabling the following weak ciphers as per a Qualys report:

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH x25519 (eq. 3072 bits RSA) FS WEAK|256|

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH x25519 (eq. 3072 bits RSA) FS WEAK|128|

My Kubernetes version is:

Client Version: version.Info{Major:"1", Minor:"11", GitVersion:"v1.11.0", GitCommit:"91e7b4fd31fcd3d5f436da26c980becec37ceefe", GitTreeState:"clean", BuildDate:"2018-06-27T20:17:28Z", GoVersion:"go1.10.2", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.8", GitCommit:"211047e9a1922595eaa3a1127ed365e9299a6c23", GitTreeState:"clean", BuildDate:"2019-10-15T12:02:12Z", GoVersion:"go1.12.10", Compiler:"gc", Platform:"linux/amd64"}

My ingress apiVersion is: extensions/v1beta1

My issuer.cert-manager.io apiVersion is: cert-manager.io/v1alpha2

Any help would be much appreciated. Thanks!!

1 Like
2

Cipher suites aren’t part of the certificate; they’re configured by your TLS server.

What are you using for your ingress?

https://ssl-config.mozilla.org/ may be of help

6 Likes
3

To be fair, with TLSv1.2 and lower, the cipher suit would contain RSA or ECDSA depending on the public key embedded within the certificate :wink:

But in general I agree with your post and personally I'm not sure if this Community is the best place to ask this question, seeing that most (but certainly not all) users have no to little experience with Kubernetes. Other places might yield better/faster solutions.

3 Likes
4

These are my ingress (apiVersion: extensions/v1beta1) annotations:

  annotations:
    cert-manager.io/issuer: letsencrypt-test
    kubernetes.io/tls-acme: "true"
    nginx.ingress.kubernetes.io/configuration-snippet: |
      more_clear_headers "Server";
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/ssl-ciphers: “ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305-SHA256”
    nginx.ingress.kubernetes.io/ssl-protocols: TLSv1.2
    nginx.org/server-tokens: "False"

The annotations for ssl-protocols and ssl-ciphers are something that I've tried from my research on various sites. Apparently these did not have any effect on the Qualys report.

TLS:

  tls:
  - hosts:
    - <my_address>
    secretName: test-dom-certificate
1 Like
5

Master of the obvious says: Then you are not making changes where the change is needed.
So... where is the change needed?
Without a :crystal_ball:, I wouldn't be much help.
Would you care to share the domain name?
Otherwise, this seems more like a question for a kubernetes forum than an LE forum.

3 Likes
6

Its test.spotmentor.com

7

Where/How does this play into the equation?:

x-powered-by: Express
3 Likes
8

This might be a paste problem on the forum, but these are the wrong quotes

For my next debugging step, I'd get the fully rendered nginx config out of the ingress.
something like

$ kubectl exec <nginx-ingress-pod> -n nginx-ingress -- nginx -T
(command taken from https://docs.nginx.com/nginx-ingress-controller/troubleshooting/troubleshoot-ingress-controller/)

2 Likes
9

This is the whole ingress yaml:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/issuer: letsencrypt-test
    kubernetes.io/tls-acme: "true"
    nginx.ingress.kubernetes.io/configuration-snippet: |
      more_clear_headers "Server";
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/ssl-ciphers: “ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305-SHA256”
    nginx.ingress.kubernetes.io/ssl-protocols: TLSv1.2
    nginx.org/server-tokens: "False"
  creationTimestamp: null
  generation: 1
  name: spotmentor-website-service-ingress-configurations
  selfLink: /apis/extensions/v1beta1/namespaces/testing/ingresses/spotmentor-website-service-ingress-configurations
spec:
  rules:
  - host: test.spotmentor.com
    http:
      paths:
      - backend:
          serviceName: spotmentor-website-service
          servicePort: 3000
        path: /
  tls:
  - hosts:
    - test.spotmentor.com
    secretName: test-dom-certificate
status:
  loadBalancer: {}
10

There's definitely a smart quote in there, instead of a plain ascii one, which is almost surely your problem.

4 Likes
11

So, are you saying that this annotation should have worked?

12

Yes, that annotation should do what you want, but I think it's being ignored or something because of the quote problem.

3 Likes
13

Compare these two lines:

3 Likes
14

Is there no servicePort for the "frontend"?
OR is 443 implied?

2 Likes
15

the nginx ingress controller listens on 80 and 443 by default. I don't even think there's an easy way to change it (without adding another layer of port forwarding on top)

4 Likes
16

Yes. Haven't changed anything in that regard. Please assume default values.

17

Alright, let me make this change and try again.

1 Like
18

Okay. This fixed it. I don't have the weak ciphers in the Qualys report anymore. Thanks!!

19

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.