Community

Blog Events Webinars Tutorials Forum
  1. Blog
  2. Events
  3. Webinars
  4. Tutorials
  5. Forum
Create Account
×
Community Blog Alibaba Cloud Service Mesh FAQ (3): How to Configure TLS Protocol Versions to Enhance Security in ASM Gateways

Alibaba Cloud Service Mesh FAQ (3): How to Configure TLS Protocol Versions to Enhance Security in ASM Gateways

Part 3 of this series describes how to configure the TLS protocol version on the ASM gateway to enhance website security.

By Xining Wang

Alibaba Cloud Service Mesh FAQ (1): How to Use the WebSocket over HTTP/2 Protocol

Alibaba Cloud Service Mesh FAQ (2): Use ASM to Implement Service Slow-Start Mode to Support the Warm-Up

Alibaba Cloud Service Mesh FAQ (3): How to Configure TLS Protocol Versions to Enhance Security in ASM Gateways

Alibaba Cloud Service Mesh FAQ (4): How to Use Traffic Mirroring across Clusters Based on Intra-Cluster Service Layer and Mesh Layer

Alibaba Cloud Service Mesh FAQ (5): ASM Gateway Supports Creating HTTPS Listeners on the SLB Side

This article describes how to configure the TLS protocol version on the ASM gateway to enhance website security.

Prerequisites

Background

Earlier TLS versions, including TLS v1.0, had spotted security risks and decrypted them with powerful tools and systems, resulting in a data breach in transmission. Therefore, the best practice to enhance the security of the website is to disable earlier versions of TLS (v1.0 and v1.1) and only enable TLS v1.2 and later. It is important to disable weak ciphers in TLS v1.2.

Prepare the Certificate and Private Key Used by the Gateway

Let’s take the domain name aliyun.com as an example. Generate a certificate and private key for the gateway and save them as Secret. For example, if you already have a certificate and private key available for aliyun.com, you need to name the key aliyun.com.key and the certificate aliyun.com.crt. If you don't, you can generate the certificate and key by performing the following steps throughOpenSSL.

1.  Run the following command to create a root certificate and a private key:

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=myexample Inc./CN=aliyun.com' -keyout aliyun.root.key -out aliyun.root.crt

2.  Run the following command to generate a certificate and a private key for the server of aliyun.com:

openssl req -out aliyun.com.csr -newkey rsa:2048 -nodes -keyout aliyun.com.key -subj "/CN=aliyun.com/O=myexample organization"
openssl x509 -req -days 365 -CA aliyun.root.crt -CAkey aliyun.root.key -set_serial 0 -in aliyun.com.csr -out aliyun.com.crt

3.  In the kubeconfig environment of the cluster where the ingress gateway pod resides, run the following command to create a Secret that contains the certificate and private key in the istio-system namespace.

kubectl create -n istio-system secret tls myexample-tlsversion-credential --key=aliyun.com.key --cert=aliyun.com.crt

Create the Gateway Rule

  1. Log on to the ASM Console
  2. On the left-side navigation pane, choose Service Mesh> Mesh Management
  3. On the Mesh Management page, find the instance to be configured and click the instance name or click Manage in the Actions column.
  4. On the details page of the Mesh instance, choose Traffic Manager > Gateway Rules in the left-side navigation pane. On the right-side page, click Create from YAML.
  5. On the Create page, select a namespace and a scenario template and configure the following YAML. In this example, the default namespace is used. If you set the minProtocolVersion value to TLSV1_2 in the YAML file, TLS v1.0 and TLS v1.1 are disabled.
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: mysdsgateway-tlsversion-sample
spec:
  selector:
    istio: ingressgateway
  servers:
    - hosts:
        - '*'
      port:
        name: https
        number: 443
        protocol: HTTPS
      tls:
        credentialName: myexample-tlsversion-credential
        minProtocolVersion: TLSV1_2
        mode: SIMPLE

Create a Virtual Service

  1. On the details page of the Mesh instance, choose Traffic Manager > Virtual Services in the left-side navigation pane. On the right-side page, click Create from YAML.
  2. On the Create page, select a namespace and a scenario template, and configure the following YAML:
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: bookinfo-tlsversion-sample
spec:
  gateways:
    - mysdsgateway-tlsversion-sample
  hosts:
    - '*'
  http:
    - match:
        - uri:
            exact: /productpage
        - uri:
            prefix: /static
        - uri:
            exact: /login
        - uri:
            exact: /logout
        - uri:
            prefix: /api/v1/products
      route:
        - destination:
            host: productpage
            port:
              number: 9080

Verify the TLS Version

Testssl.sh is a free command line tool that can check whether the service on any port of the server supports TLS/SSL keys, protocols, and some encryption defects. In this example, testssl.sh is used to verify the TLS version.

1.  Run the following command to run testssl.sh in container mode:

docker run --rm -ti registry.cn-hangzhou.aliyuncs.com/acs/testssl.sh https:// Gateway address /productpage

2.  Expected output:

Testing protocols via sockets except NPN+ALPN
SSLv2      not offered (OK)
SSLv3      not offered (OK)
TLS 1      not offered
TLS 1.1    not offered
TLS 1.2    offered (OK)
TLS 1.3    offered (OK): final
......
Running client simulations (HTTP) via sockets
Browser                      Protocol  Cipher Suite Name (OpenSSL)       Forward Secrecy
------------------------------------------------------------------------------------------------
Android 6.0                  TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
Android 7.0 (native)         TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
Android 8.1 (native)         TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       253 bit ECDH (X25519)
Android 9.0 (native)         TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
Android 10.0 (native)        TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
Android 11 (native)          TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
Android 12 (native)          TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
Chrome 79 (Win 10)           TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
Chrome 101 (Win 10)          TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
Firefox 66 (Win 8.1/10)      TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
Firefox 100 (Win 10)         TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
IE 6 XP                      No connection
IE 8 Win 7                   No connection
IE 8 XP                      No connection
IE 11 Win 7                  No connection
IE 11 Win 8.1                No connection
IE 11 Win Phone 8.1          No connection
IE 11 Win 10                 TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
Edge 15 Win 10               TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       253 bit ECDH (X25519)
Edge 101 Win 10 21H2         TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
Safari 12.1 (iOS 12.2)       TLSv1.3   TLS_CHACHA20_POLY1305_SHA256      253 bit ECDH (X25519)
Safari 13.0 (macOS 10.14.6)  TLSv1.3   TLS_CHACHA20_POLY1305_SHA256      253 bit ECDH (X25519)
Safari 15.4 (macOS 12.3.1)   TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
Java 7u25                    No connection
Java 8u161                   TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
Java 11.0.2 (OpenJDK)        TLSv1.3   TLS_AES_128_GCM_SHA256            256 bit ECDH (P-256)
Java 17.0.3 (OpenJDK)        TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
go 1.17.8                    TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
LibreSSL 2.8.3 (Apple)       TLSv1.2   ECDHE-RSA-CHACHA20-POLY1305       253 bit ECDH (X25519)
OpenSSL 1.0.2e               TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
OpenSSL 1.1.0l (Debian)      TLSv1.2   ECDHE-RSA-CHACHA20-POLY1305       253 bit ECDH (X25519)
OpenSSL 1.1.1d (Debian)      TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
OpenSSL 3.0.3 (git)          TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
Apple Mail (16.0)            TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
Thunderbird (91.9)           TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)

The output shows that both TLS 1 and TLS 1.1 are not offered, which indicates that both versions are disabled. Both TLS 1.2 and TLS 1.3 are offered, which indicates that both versions are supported.

In the simulated request from the client, you can see that only clients that support TLS 1.2 and 1.3 can establish a connection.

How to use the TLS 1.2 Version

If you only need to use TLS 1.2, perform the following steps:

1.  Modify the gateway mesh rule configuration by referring to the following YAML. Set maxProtocolVersion and minProtocolVersion to TLSV1_2.

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: mysdsgateway
  namespace: default
spec:
  selector:
    istio: ingressgateway
  servers:
    - hosts:
        - '*'
      port:
        name: https
        number: 443
        protocol: HTTPS
      tls:
        credentialName: myexample-credential
        maxProtocolVersion: TLSV1_2
        minProtocolVersion: TLSV1_2
        mode: SIMPLE

2.  Run the following command to perform a verification test:

docker run --rm -ti registry.cn-hangzhou.aliyuncs.com/acs/testssl.sh https:// Gateway address /productpage

3.  Expected output:

Testing protocols via sockets except NPN+ALPN
 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      not offered
 TLS 1.1    not offered
 TLS 1.2    offered (OK)
 TLS 1.3    not offered and downgraded to a weaker protocol
......
 Running client simulations (HTTP) via sockets
 Browser                      Protocol  Cipher Suite Name (OpenSSL)       Forward Secrecy
------------------------------------------------------------------------------------------------
 Android 6.0                  TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
 Android 7.0 (native)         TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
 Android 8.1 (native)         TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       253 bit ECDH (X25519)
 Android 9.0 (native)         TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       253 bit ECDH (X25519)
 Android 10.0 (native)        TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       253 bit ECDH (X25519)
 Android 11 (native)          TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       253 bit ECDH (X25519)
 Android 12 (native)          TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       253 bit ECDH (X25519)
 Chrome 79 (Win 10)           TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       253 bit ECDH (X25519)
 Chrome 101 (Win 10)          TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       253 bit ECDH (X25519)
 Firefox 66 (Win 8.1/10)      TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       253 bit ECDH (X25519)
 Firefox 100 (Win 10)         TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       253 bit ECDH (X25519)
 IE 6 XP                      No connection
 IE 8 Win 7                   No connection
 IE 8 XP                      No connection
 IE 11 Win 7                  No connection
 IE 11 Win 8.1                No connection
 IE 11 Win Phone 8.1          No connection
 IE 11 Win 10                 TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
 Edge 15 Win 10               TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       253 bit ECDH (X25519)
 Edge 101 Win 10 21H2         TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       253 bit ECDH (X25519)
 Safari 12.1 (iOS 12.2)       TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       253 bit ECDH (X25519)
 Safari 13.0 (macOS 10.14.6)  TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       253 bit ECDH (X25519)
 Safari 15.4 (macOS 12.3.1)   TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       253 bit ECDH (X25519)
 Java 7u25                    No connection
 Java 8u161                   TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
 Java 11.0.2 (OpenJDK)        TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
 Java 17.0.3 (OpenJDK)        TLSv1.2   ECDHE-RSA-CHACHA20-POLY1305       253 bit ECDH (X25519)
 go 1.17.8                    TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       253 bit ECDH (X25519)
 LibreSSL 2.8.3 (Apple)       TLSv1.2   ECDHE-RSA-CHACHA20-POLY1305       253 bit ECDH (X25519)
 OpenSSL 1.0.2e               TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
 OpenSSL 1.1.0l (Debian)      TLSv1.2   ECDHE-RSA-CHACHA20-POLY1305       253 bit ECDH (X25519)
 OpenSSL 1.1.1d (Debian)      TLSv1.2   ECDHE-RSA-CHACHA20-POLY1305       253 bit ECDH (X25519)
 OpenSSL 3.0.3 (git)          TLSv1.2   ECDHE-RSA-CHACHA20-POLY1305       253 bit ECDH (X25519)
 Apple Mail (16.0)            TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
 Thunderbird (91.9)           TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       253 bit ECDH (X25519)

The expected output shows that both TLS 1 and TLS 1.1 are not offered. TLS 1.3 is not offered and downgraded to a weaker protocol, which indicates that three versions are disabled. TLS 1.2 is offered, which indicates that only TLS 1.2 is supported.

In the simulated request from the client, you can see that only clients that support the TLS 1.2 version can establish a connection.

How to use the TLS 1.3 Version

If you only need to use TLS 1.3, perform the following steps:

1.  Modify the gateway mesh rule configuration by referring to the following YAML file. Set maxProtocolVersion and minProtocolVersion to TLSV1_3.

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: mysdsgateway
  namespace: default
spec:
  selector:
    istio: ingressgateway
  servers:
    - hosts:
        - '*'
      port:
        name: https
        number: 443
        protocol: HTTPS
      tls:
        credentialName: myexample-credential
        maxProtocolVersion: TLSV1_3
        minProtocolVersion: TLSV1_3
        mode: SIMPLE

2.  Run the following command to perform a verification test:

docker run --rm -ti registry.cn-hangzhou.aliyuncs.com/acs/testssl.sh https:// Gateway address /productpage

3.  Expected output:

Testing protocols via sockets except NPN+ALPN
SSLv2      not offered (OK)
SSLv3      not offered (OK)
TLS 1      not offered
TLS 1.1    not offered
TLS 1.2    not offered
TLS 1.3    offered (OK): final
......
Running client simulations (HTTP) via sockets
 Browser                      Protocol  Cipher Suite Name (OpenSSL)       Forward Secrecy
------------------------------------------------------------------------------------------------
 Android 6.0                  No connection
 Android 7.0 (native)         No connection
 Android 8.1 (native)         No connection
 Android 9.0 (native)         TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
 Android 10.0 (native)        TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
 Android 11 (native)          TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
 Android 12 (native)          TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
 Chrome 79 (Win 10)           TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
 Chrome 101 (Win 10)          TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
 Firefox 66 (Win 8.1/10)      TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
 Firefox 100 (Win 10)         TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
 IE 6 XP                      No connection
 IE 8 Win 7                   No connection
 IE 8 XP                      No connection
 IE 11 Win 7                  No connection
 IE 11 Win 8.1                No connection
 IE 11 Win Phone 8.1          No connection
 IE 11 Win 10                 No connection
 Edge 15 Win 10               No connection
 Edge 101 Win 10 21H2         TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
 Safari 12.1 (iOS 12.2)       TLSv1.3   TLS_CHACHA20_POLY1305_SHA256      253 bit ECDH (X25519)
 Safari 13.0 (macOS 10.14.6)  TLSv1.3   TLS_CHACHA20_POLY1305_SHA256      253 bit ECDH (X25519)
 Safari 15.4 (macOS 12.3.1)   TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
 Java 7u25                    No connection
 Java 8u161                   No connection
 Java 11.0.2 (OpenJDK)        TLSv1.3   TLS_AES_128_GCM_SHA256            256 bit ECDH (P-256)
 Java 17.0.3 (OpenJDK)        TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
 go 1.17.8                    TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
 LibreSSL 2.8.3 (Apple)       No connection
 OpenSSL 1.0.2e               No connection
 OpenSSL 1.1.0l (Debian)      No connection
 OpenSSL 1.1.1d (Debian)      TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
 OpenSSL 3.0.3 (git)          TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
 Apple Mail (16.0)            No connection
 Thunderbird (91.9)           TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)

The output shows that TLS 1, TLS 1.1, and TLS 1.2 are all not offered, which indicates that these three versions are disabled. TLS 1.3 is offered, which indicates that only TLS 1.3 is supported. In the simulated request from the client, you can see that only clients that support TLS 1.3 can establish a connection.

Security Computing Kubernetes Istio cloud native Service Mesh Observability TLS ASM ASM Gateways
0 2 1
Share on

Read previous post:

Alibaba Cloud Service Mesh FAQ (2): Use ASM to Implement Service Slow-Start Mode to Support the Warm-Up

Read next post:

Alibaba Cloud Service Mesh FAQ (4): How to Use Traffic Mirroring across Clusters Based on Intra-Cluster Service Layer and Mesh Layer

Xi Ning Wang(王夕宁)

56 posts | 8 followers

You may also like

Comments

Xi Ning Wang(王夕宁)

56 posts | 8 followers

Related Products

More Posts by Xi Ning Wang(王夕宁)

See All