This topic describes how to configure Transport Layer Security (TLS) versions on an ingress gateway to enhance gateway security.
Prerequisites
A Service Mesh (ASM) instance of Enterprise Edition or Ultimate Edition is created, and the instance version is 1.14 or later. For more information, see Create an ASM instance and Update an ASM instance.
- The cluster is added to the ASM instance. For more information, see Add a cluster to an ASM instance.
- An ingress gateway service is deployed. For more information, see Create an ingress gateway service.
- An application is deployed in the ASM instance. For more information, see Deploy an application in an ASM instance.
Background information
Early TLS versions, including TLS 1.0, have known security risks. In addition, these versions use powerful tools and systems to decrypt traffic, resulting in data breach in transmission. Therefore, the best practice to enhance website security is to replace TLS 1.0 and TLS 1.1 with TLS 1.2 or later. You must also disable weak passwords in TLS 1.2.
Step 1: Prepare a certificate and a private key for the ingress gateway
Create a certificate and a private key for the ingress gateway, and store the certificate and private key in a secret. In this example, the aliyun.com domain name is used. If you have an available certificate and a private key for the aliyun.com domain name, rename the private key to aliyun.com.key and the certificate to aliyun.com.crt. Alternatively, run the following openssl commands to create a certificate and a private key.
Run the following command to create a root certificate and a private key:
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=myexample Inc./CN=aliyun.com' -keyout aliyun.root.key -out aliyun.root.crtRun the following commands to create a certificate and a private key for the server of aliyun.com:
openssl req -out aliyun.com.csr -newkey rsa:2048 -nodes -keyout aliyun.com.key -subj "/CN=aliyun.com/O=myexample organization" openssl x509 -req -days 365 -CA aliyun.root.crt -CAkey aliyun.root.key -set_serial 0 -in aliyun.com.csr -out aliyun.com.crtCreate a secret or certificate based on the version of your ASM instance.
An ASM instance of a version earlier than 1.17
Use kubectl to connect to the cluster to which the ingress gateway pod belongs, and run the following command to create a secret that contains the certificate and private key in the istio-system namespace:
kubectl create -n istio-system secret tls myexample-credential --key=aliyun.com.key --cert=aliyun.com.crtImportantThe secret name cannot start with istio or prometheus, and cannot contain the token field.
An ASM instance of version 1.17 or later
- Log on to the ASM console. In the left-side navigation pane, choose .
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose .
On the Certificate Management page, click Create. In the Certificate Information panel, configure the required parameters and click OK.
Parameter
Description
Name
Enter the name of the certificate. For this example, enter myexample-credential.
Public Key Certificate
Enter the content of the
aliyun.com.crtcertificate that is generated in Substep 2.Private Key
Enter the content of the
aliyun.com.keyprivate key that is generated in Substep 2.
Step 2: Create an Istio gateway
- Log on to the ASM console. In the left-side navigation pane, choose .
- On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose . On the page that appears, click Create from YAML.
On the Create page, select a namespace and a scenario template, and configure the following YAML code.
In this example, the default namespace is used. In the YAML code, the minProtocolVersion parameter is set to TLSV1_2, indicating that TLS 1.2 is used.
apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: name: mysdsgateway spec: selector: istio: ingressgateway servers: - hosts: - '*' port: name: https number: 443 protocol: HTTPS tls: credentialName: myexample-credential minProtocolVersion: TLSV1_2 mode: SIMPLE
Step 3: Create a virtual service
On the details page of the ASM instance, choose in the left-side navigation pane. On the page that appears, click Create from YAML.
On the Create page, select a namespace and a scenario template, and configure the following YAML code:
apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: bookinfo-tlsversion-sample spec: gateways: - mysdsgateway-tlsversion-sample hosts: - '*' http: - match: - uri: exact: /productpage - uri: prefix: /static - uri: exact: /login - uri: exact: /logout - uri: prefix: /api/v1/products route: - destination: host: productpage port: number: 9080
Step 4: Verify TLS versions
testssl.sh is a free command line tool. It can check whether the service that the server provides over a port supports TLS/SSL certificates or protocols. The tool can also be used to identify some encryption defects. In this topic, testssl.sh is used to verify TLS versions.
Run the following command to execute testssl.sh in a container:
docker run --rm -ti registry.cn-hangzhou.aliyuncs.com/acs/testssl.sh https://IP address of the ingress gateway/productpageExpected output:
Testing protocols via sockets except NPN+ALPN SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 not offered TLS 1.1 not offered TLS 1.2 offered (OK) TLS 1.3 offered (OK): final ...... Running client simulations (HTTP) via sockets Browser Protocol Cipher Suite Name (OpenSSL) Forward Secrecy ------------------------------------------------------------------------------------------------ Android 6.0 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 256 bit ECDH (P-256) Android 7.0 (native) TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 256 bit ECDH (P-256) Android 8.1 (native) TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 253 bit ECDH (X25519) Android 9.0 (native) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) Android 10.0 (native) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) Android 11 (native) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) Android 12 (native) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) Chrome 79 (Win 10) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) Chrome 101 (Win 10) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) Firefox 66 (Win 8.1/10) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) Firefox 100 (Win 10) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) IE 6 XP No connection IE 8 Win 7 No connection IE 8 XP No connection IE 11 Win 7 No connection IE 11 Win 8.1 No connection IE 11 Win Phone 8.1 No connection IE 11 Win 10 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 256 bit ECDH (P-256) Edge 15 Win 10 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 253 bit ECDH (X25519) Edge 101 Win 10 21H2 TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) Safari 12.1 (iOS 12.2) TLSv1.3 TLS_CHACHA20_POLY1305_SHA256 253 bit ECDH (X25519) Safari 13.0 (macOS 10.14.6) TLSv1.3 TLS_CHACHA20_POLY1305_SHA256 253 bit ECDH (X25519) Safari 15.4 (macOS 12.3.1) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) Java 7u25 No connection Java 8u161 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 256 bit ECDH (P-256) Java 11.0.2 (OpenJDK) TLSv1.3 TLS_AES_128_GCM_SHA256 256 bit ECDH (P-256) Java 17.0.3 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) go 1.17.8 TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) LibreSSL 2.8.3 (Apple) TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305 253 bit ECDH (X25519) OpenSSL 1.0.2e TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 256 bit ECDH (P-256) OpenSSL 1.1.0l (Debian) TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305 253 bit ECDH (X25519) OpenSSL 1.1.1d (Debian) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) OpenSSL 3.0.3 (git) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) Apple Mail (16.0) TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 256 bit ECDH (P-256) Thunderbird (91.9) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519)In the expected output,
not offeredis displayed for both TLS 1 and TLS 1.1, indicating that the two versions are disabled.offeredis displayed for both TLS 1.2 and TLS 1.3, indicating that these two versions are supported.The simulated requests of the clients also indicate that only clients supporting TLS 1.2 and TLS 1.3 can establish connections.
Optional:If you need to use TLS 1.2 only, perform the following steps:
Modify the YAML configuration of the Istio gateway that you created in Step 2 by setting maxProtocolVersion and minProtocolVersion to TLSV1_2.
apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: name: mysdsgateway namespace: default spec: selector: istio: ingressgateway servers: - hosts: - '*' port: name: https number: 443 protocol: HTTPS tls: credentialName: myexample-credential maxProtocolVersion: TLSV1_2 minProtocolVersion: TLSV1_2 mode: SIMPLERun the following command to verify that only TLS 1.2 is supported:
docker run --rm -ti registry.cn-hangzhou.aliyuncs.com/acs/testssl.sh https://IP address of the ingress gateway/productpageExpected output:
Testing protocols via sockets except NPN+ALPN SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 not offered TLS 1.1 not offered TLS 1.2 offered (OK) TLS 1.3 not offered and downgraded to a weaker protocol ...... Running client simulations (HTTP) via sockets Browser Protocol Cipher Suite Name (OpenSSL) Forward Secrecy ------------------------------------------------------------------------------------------------ Android 6.0 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 256 bit ECDH (P-256) Android 7.0 (native) TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 256 bit ECDH (P-256) Android 8.1 (native) TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 253 bit ECDH (X25519) Android 9.0 (native) TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 253 bit ECDH (X25519) Android 10.0 (native) TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 253 bit ECDH (X25519) Android 11 (native) TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 253 bit ECDH (X25519) Android 12 (native) TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 253 bit ECDH (X25519) Chrome 79 (Win 10) TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 253 bit ECDH (X25519) Chrome 101 (Win 10) TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 253 bit ECDH (X25519) Firefox 66 (Win 8.1/10) TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 253 bit ECDH (X25519) Firefox 100 (Win 10) TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 253 bit ECDH (X25519) IE 6 XP No connection IE 8 Win 7 No connection IE 8 XP No connection IE 11 Win 7 No connection IE 11 Win 8.1 No connection IE 11 Win Phone 8.1 No connection IE 11 Win 10 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 256 bit ECDH (P-256) Edge 15 Win 10 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 253 bit ECDH (X25519) Edge 101 Win 10 21H2 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 253 bit ECDH (X25519) Safari 12.1 (iOS 12.2) TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 253 bit ECDH (X25519) Safari 13.0 (macOS 10.14.6) TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 253 bit ECDH (X25519) Safari 15.4 (macOS 12.3.1) TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 253 bit ECDH (X25519) Java 7u25 No connection Java 8u161 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 256 bit ECDH (P-256) Java 11.0.2 (OpenJDK) TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 256 bit ECDH (P-256) Java 17.0.3 (OpenJDK) TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305 253 bit ECDH (X25519) go 1.17.8 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 253 bit ECDH (X25519) LibreSSL 2.8.3 (Apple) TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305 253 bit ECDH (X25519) OpenSSL 1.0.2e TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 256 bit ECDH (P-256) OpenSSL 1.1.0l (Debian) TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305 253 bit ECDH (X25519) OpenSSL 1.1.1d (Debian) TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305 253 bit ECDH (X25519) OpenSSL 3.0.3 (git) TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305 253 bit ECDH (X25519) Apple Mail (16.0) TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 256 bit ECDH (P-256) Thunderbird (91.9) TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 253 bit ECDH (X25519)In the expected output,
not offeredis displayed for TLS 1 and TLS 1.1, andnot offered and downgraded to a weaker protocolis displayed for TLS 1.3, indicating that the three TLS versions are disabled.offeredis displayed for TLS 1.2, indicating that only TLS 1.2 is supported.The simulated requests of the clients also indicate that only clients supporting TLS 1.2 can establish connections.
Optional:If you need to use TLS 1.3 only, perform the following steps:
Modify the YAML configuration of the Istio gateway that you created in Step 2 by setting maxProtocolVersion and minProtocolVersion to TLSV1_3.
apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: name: mysdsgateway namespace: default spec: selector: istio: ingressgateway servers: - hosts: - '*' port: name: https number: 443 protocol: HTTPS tls: credentialName: myexample-credential maxProtocolVersion: TLSV1_3 minProtocolVersion: TLSV1_3 mode: SIMPLERun the following command to verify that only TLS 1.3 is supported:
docker run --rm -ti registry.cn-hangzhou.aliyuncs.com/acs/testssl.sh https://IP address of the ingress gateway/productpageExpected output:
Testing protocols via sockets except NPN+ALPN SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 not offered TLS 1.1 not offered TLS 1.2 not offered TLS 1.3 offered (OK): final ...... Running client simulations (HTTP) via sockets Browser Protocol Cipher Suite Name (OpenSSL) Forward Secrecy ------------------------------------------------------------------------------------------------ Android 6.0 No connection Android 7.0 (native) No connection Android 8.1 (native) No connection Android 9.0 (native) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) Android 10.0 (native) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) Android 11 (native) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) Android 12 (native) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) Chrome 79 (Win 10) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) Chrome 101 (Win 10) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) Firefox 66 (Win 8.1/10) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) Firefox 100 (Win 10) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) IE 6 XP No connection IE 8 Win 7 No connection IE 8 XP No connection IE 11 Win 7 No connection IE 11 Win 8.1 No connection IE 11 Win Phone 8.1 No connection IE 11 Win 10 No connection Edge 15 Win 10 No connection Edge 101 Win 10 21H2 TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) Safari 12.1 (iOS 12.2) TLSv1.3 TLS_CHACHA20_POLY1305_SHA256 253 bit ECDH (X25519) Safari 13.0 (macOS 10.14.6) TLSv1.3 TLS_CHACHA20_POLY1305_SHA256 253 bit ECDH (X25519) Safari 15.4 (macOS 12.3.1) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) Java 7u25 No connection Java 8u161 No connection Java 11.0.2 (OpenJDK) TLSv1.3 TLS_AES_128_GCM_SHA256 256 bit ECDH (P-256) Java 17.0.3 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) go 1.17.8 TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519) LibreSSL 2.8.3 (Apple) No connection OpenSSL 1.0.2e No connection OpenSSL 1.1.0l (Debian) No connection OpenSSL 1.1.1d (Debian) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) OpenSSL 3.0.3 (git) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) Apple Mail (16.0) No connection Thunderbird (91.9) TLSv1.3 TLS_AES_128_GCM_SHA256 253 bit ECDH (X25519)In the expected output,
not offeredis displayed for TLS 1.0, TLS 1.1, and TLS 1.2, indicating that the three TLS versions are disabled.offeredis displayed for TLS 1.3, indicating that only TLS 1.3 is supported.The simulated requests of the clients also indicate that only clients supporting TLS 1.3 can establish connections.