Enable tls 1.3 in the nginx image

[dgregoire]

FEATURE REQUEST

TLS1.3 in nginx, add the right ciphers to the default config, add TLS1.3 to the tls config string.

I can help if needed!

[aledbf]

@dgregoire we are going to do that after the official support in nginx. Please check https://trac.nginx.org/nginx/ticket/1529 and https://twitter.com/RichSalz/status/986123531913134080

[aledbf]

Closing. This is present in the nginx 1.15 cycle but that could take up to a year and also depends on the relase final release of TLS 1.3.
https://trac.nginx.org/nginx/milestone/1.15

[weisjohn]

It would be nice to see this at least optionally enabled behind a setting in a ConfigMap, if possible, given that http://nginx.org/en/CHANGES says the following:

Changes with nginx 1.15.4                                        25 Sep 2018

    *) Feature: now the "ssl_early_data" directive can be used with OpenSSL.

and

Changes with nginx 1.15.3                                        28 Aug 2018

    *) Feature: now TLSv1.3 can be used with BoringSSL.

[aledbf]

@weisjohn we need Openssl 1.1.1 to support TLS 1.3 (that version is present only in debian testing now)

[toutougabi]

Now that Openssl 1.1.1 is merged is TLS 1.3 supported ?

[aledbf]

@toutougabi yes since 0.21.0 but is not enabled by default. Please check https://kubernetes.github.io/ingress-nginx/user-guide/tls/#default-tls-version-and-ciphers

[nottrobin]

@aledbf it's not clear from those links why 1.3 isn't enabled by default?

[vitobotta]

Hi @aledbf I have set ssl-protocols to TLSv1.3 TLSv1.2 but I see no difference. TLS handshake still takes longer than 110ms for me. What else can I do?

[aledbf]

TLS handshake still takes longer than 110ms for me. What else can I do?

How are you testing this? Did you use ssllabs.com/ssltest/analyze.html to check the configuration and https://www.webpagetest.org/runtest.php to check the behavior?
This is for a webapp or a REST API? I suggest you open a new issue with more information (like my previous questions) and some context about the scenario, i.e., where are you running, size of the vms, etc.

[vitobotta]

Hi @aledbf I was checking with curl but it wasn't build with support for 1.3. Fixed that, I see an improvement. Thanks :)

[JohnGalt1717]

www.ssllabs.com still shows that TLS 1.3 isn't enabled even with nginx.ingress.kubernetes.io/ssl-protocols: "TLSv1.3 TLSv1.2"

[takyon77]

Like @JohnGalt1717 it seems that TLS 1.3 is not showing when trying to enable it:

kubectl -n nginx-ingress get cm nginx-config -o yaml | grep ssl-protocol
ssl-protocols: TLSv1.2 TLSv1.3

nmap --script ssl-enum-ciphers -p 443 'nginx-ingres pod IP' > |grep "TLSv|SSLv"
| SSLv3: No supported ciphers found
| TLSv1.2:

Is there something else to do to enable TLSv1.3?