If security risks are caused by the use of earlier Transport Layer Security (TLS) versions, you can configure later TLS versions on ingress gateways. Then, you can disable earlier versions, such as TLS 1.0 and TLS 1.1, and enable securer TLS 1.2 and later to effectively prevent security risks such as man-in-the-middle attacks and data breach. This guarantees the stability and security of HTTPS connections between services and clients.
Prerequisites
A Service Mesh (ASM) instance of Enterprise Edition or Ultimate Edition is created, and the version of the ASM instance is v1.14 or later. For more information, see Create an ASM instance and Update an ASM instance.
The cluster is added to the ASM instance. For more information, see Add a cluster to an ASM instance.
An ingress gateway is deployed. For more information, see Create an ingress gateway.
An application is deployed in the ASM instance. For more information, see Deploy an application in an ASM instance.
Background information
Early TLS versions, including TLS 1.0, have known security issues, which lead to data breach in transmission. Therefore, the best practice to enhance website security is to replace TLS 1.0 and TLS 1.1 with TLS 1.2 or later. You must also disable weak passwords in TLS 1.2.
Step 1: Prepare a certificate and a private key for the ingress gateway
Create a certificate and a private key for the ingress gateway, and store the certificate and private key in a secret. In this example, the aliyun.com domain name is used. If you have an available certificate and a private key for the aliyun.com domain name, rename the private key to aliyun.com.key and the certificate to aliyun.com.crt. Alternatively, run the following openssl commands to create a certificate and a private key.
Run the following command to create a root certificate and a private key:
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=myexample Inc./CN=aliyun.com' -keyout aliyun.root.key -out aliyun.root.crtRun the following commands to create a certificate and a private key for the server of aliyun.com:
openssl req -out aliyun.com.csr -newkey rsa:2048 -nodes -keyout aliyun.com.key -subj "/CN=aliyun.com/O=myexample organization" openssl x509 -req -days 365 -CA aliyun.root.crt -CAkey aliyun.root.key -set_serial 0 -in aliyun.com.csr -out aliyun.com.crtCreate a secret or certificate based on the version of your ASM instance.
For an ASM instance of a version earlier than v1.17
Use kubectl to connect to the cluster to which the ingress gateway pod belongs based on the information in the kubeconfig file. Then, run the following command to create a secret that contains the certificate and private key in the istio-system namespace:
kubectl create -n istio-system secret tls myexample-credential --key=aliyun.com.key --cert=aliyun.com.crtImportantThe secret name cannot start with istio or prometheus, and cannot contain the token field.
For an ASM instance of v1.17 or later
Log on to the ASM console. In the left-side navigation pane, choose .
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose .
On the Certificate Management page, click Create. In the Certificate Information panel, configure the required parameters and click OK.
Parameter
Description
Name
Enter the name of the certificate. For this example, enter myexample-credential.
Public Key Certificate
Enter the content of the
aliyun.com.crtcertificate that is generated in Substep 2.Private Key
Enter the content of the
aliyun.com.keyprivate key that is generated in Substep 2.
Step 2: Create an Istio gateway
Log on to the ASM console. In the left-side navigation pane, choose .
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose . On the page that appears, click Create from YAML.
On the Create page, select a namespace and a scenario template, and configure the following YAML code.
In this example, the default namespace is used. In the YAML code, the minProtocolVersion parameter is set to TLSV1_2, indicating that TLS 1.2 is used.
apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: name: mysdsgateway spec: selector: istio: ingressgateway servers: - hosts: - '*' port: name: https number: 443 protocol: HTTPS tls: credentialName: myexample-credential minProtocolVersion: TLSV1_2 mode: SIMPLE
Step 3: Create a virtual service
On the details page of the ASM instance, choose in the left-side navigation pane. On the page that appears, click Create from YAML.
On the Create page, select a namespace and a scenario template, and configure the following YAML code:
Step 4: Verify TLS versions
testssl.sh is a free command line tool. It can check whether the service that the server provides over a port supports TLS/SSL certificates or protocols. The tool can also be used to identify some encryption defects. In this topic, testssl.sh is used to verify TLS versions.
Run the following command to execute testssl.sh in a container:
docker run --rm -ti registry.cn-hangzhou.aliyuncs.com/acs/testssl.sh https://IP address of the ingress gateway/productpageIn the expected output,
not offeredis displayed for both TLS 1 and TLS 1.1, indicating that the two versions are disabled.offeredis displayed for both TLS 1.2 and TLS 1.3, indicating that these two versions are supported.The simulated requests of the clients also indicate that only clients supporting TLS 1.2 and TLS 1.3 can establish connections.
(Optional) If you need to use TLS 1.2 only, perform the following steps:
Modify the YAML configuration of the Istio gateway that you created in Step 2 by setting both maxProtocolVersion and minProtocolVersion to TLSV1_2.
apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: name: mysdsgateway namespace: default spec: selector: istio: ingressgateway servers: - hosts: - '*' port: name: https number: 443 protocol: HTTPS tls: credentialName: myexample-credential maxProtocolVersion: TLSV1_2 minProtocolVersion: TLSV1_2 mode: SIMPLERun the following command to verify that only TLS 1.2 is supported:
docker run --rm -ti registry.cn-hangzhou.aliyuncs.com/acs/testssl.sh https://IP address of the ingress gateway/productpageIn the expected output,
not offeredis displayed for TLS 1 and TLS 1.1, andnot offered and downgraded to a weaker protocolis displayed for TLS 1.3, indicating that the three TLS versions are disabled.offeredis displayed for TLS 1.2, indicating that only TLS 1.2 is supported.The simulated requests of the clients also indicate that only clients supporting TLS 1.2 can establish connections.
(Optional) If you need to use TLS 1.3 only, perform the following steps:
Modify the YAML configuration of the Istio gateway that you created in Step 2 by setting both maxProtocolVersion and minProtocolVersion to TLSV1_3.
apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: name: mysdsgateway namespace: default spec: selector: istio: ingressgateway servers: - hosts: - '*' port: name: https number: 443 protocol: HTTPS tls: credentialName: myexample-credential maxProtocolVersion: TLSV1_3 minProtocolVersion: TLSV1_3 mode: SIMPLERun the following command to verify that only TLS 1.3 is supported:
docker run --rm -ti registry.cn-hangzhou.aliyuncs.com/acs/testssl.sh https://IP address of the ingress gateway/productpageIn the expected output,
not offeredis displayed for TLS 1.0, TLS 1.1, and TLS 1.2, indicating that the three TLS versions are disabled.offeredis displayed for TLS 1.3, indicating that only TLS 1.3 is supported.The simulated requests of the clients also indicate that only clients supporting TLS 1.3 can establish connections.