TLS 1.0 and TLS 1.1 have known vulnerabilities that expose HTTPS traffic to man-in-the-middle attacks and data breaches. By setting a minimum TLS version on your Alibaba Cloud Service Mesh (ASM) ingress gateway, you block insecure protocol negotiations so that all client-to-gateway traffic uses TLS 1.2 or later. You must also disable weak passwords in TLS 1.2.
How it works
The Istio Gateway resource exposes a minProtocolVersion field under the tls section of each server entry. When you set this field to TLSV1_2, the Envoy proxy on the ingress gateway rejects any TLS handshake that negotiates a version lower than TLS 1.2. You can optionally set maxProtocolVersion to pin a specific version.
| Configuration | minProtocolVersion | maxProtocolVersion | Result |
|---|---|---|---|
| TLS 1.2 and later (recommended) | TLSV1_2 | Not set | Accepts TLS 1.2 and TLS 1.3 |
| TLS 1.2 only | TLSV1_2 | TLSV1_2 | Accepts TLS 1.2 only |
| TLS 1.3 only | TLSV1_3 | TLSV1_3 | Accepts TLS 1.3 only |
Prerequisites
Before you begin, make sure that you have:
An ASM instance of Enterprise Edition or Ultimate Edition, version v1.14 or later. For more information, see Create an ASM instance and Update an ASM instance
An ingress gateway is deployed. For more information, see Create an ingress gateway.
An application is deployed in the cluster that is added to the ASM instance. For more information, see Deploy an application in an ACK cluster that is added to an ASM instance.
Step 1: Prepare a TLS certificate and private key
Create a TLS certificate and private key for the ingress gateway, then store them as a credential that the gateway can reference. The following example uses the aliyun.com domain name.
If you already have a certificate and private key for aliyun.com, rename them to aliyun.com.crt and aliyun.com.key, then skip to substep 3.
Generate a root certificate and private key:
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=myexample Inc./CN=aliyun.com' -keyout aliyun.root.key -out aliyun.root.crtGenerate a server certificate and private key for
aliyun.com:openssl req -out aliyun.com.csr -newkey rsa:2048 -nodes -keyout aliyun.com.key -subj "/CN=aliyun.com/O=myexample organization" openssl x509 -req -days 365 -CA aliyun.root.crt -CAkey aliyun.root.key -set_serial 0 -in aliyun.com.csr -out aliyun.com.crtStore the certificate. Choose the method that matches your ASM version:
ASM earlier than v1.17 -- Create a Kubernetes Secret by running the following kubectl command against the cluster where the ingress gateway pod runs:
kubectl create -n istio-system secret tls myexample-credential --key=aliyun.com.key --cert=aliyun.com.crtImportantThe Secret name cannot start with
istioorprometheus, and cannot contain thetokenfield.ASM v1.17 or later -- Use the ASM console:
-
Log on to the ASM console. In the left-side navigation pane, choose .
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose .
On the Certificate Management page, click Create. In the Certificate Information panel, configure the following parameters and click OK.
Parameter
Description
Name
Enter the certificate name. For this example, enter
myexample-credential.Public Key Certificate
Enter the content of the
aliyun.com.crtfile generated in substep 2.Private Key
Enter the content of the
aliyun.com.keyfile generated in substep 2.
-
Step 2: Create an Istio gateway with a minimum TLS version
-
Log on to the ASM console. In the left-side navigation pane, choose .
-
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose . On the page that appears, click Create from YAML.
Select a namespace and paste the following YAML. This example uses the
defaultnamespace and setsminProtocolVersiontoTLSV1_2to enforce TLS 1.2 as the minimum version:apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: name: mysdsgateway spec: selector: istio: ingressgateway servers: - hosts: - '*' port: name: https number: 443 protocol: HTTPS tls: credentialName: myexample-credential minProtocolVersion: TLSV1_2 mode: SIMPLE
Step 3: Create a virtual service
-
On the details page of the ASM instance, choose in the left-side navigation pane. On the page that appears, click Create from YAML.
Select a namespace and paste the following YAML:
apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: bookinfo-tlsversion-sample spec: gateways: - mysdsgateway-tlsversion-sample hosts: - '*' http: - match: - uri: exact: /productpage - uri: prefix: /static - uri: exact: /login - uri: exact: /logout - uri: prefix: /api/v1/products route: - destination: host: productpage port: number: 9080
Step 4: Verify the TLS configuration
testssl.sh is a free command line tool that checks whether the service that a server provides over a port supports TLS/SSL certificates or protocols. It can also identify encryption defects. Use testssl.sh to verify your TLS version configuration.
Run the following command to execute testssl.sh in a container:
docker run --rm -ti registry.cn-hangzhou.aliyuncs.com/acs/testssl.sh https://IP address of the ingress gateway/productpageExpected protocol output for TLS 1.2 and later:
Testing protocols via sockets except NPN+ALPN SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 not offered TLS 1.1 not offered TLS 1.2 offered (OK) TLS 1.3 offered (OK): finalnot offeredfor TLS 1 and TLS 1.1 confirms that these versions are disabled.offeredfor TLS 1.2 and TLS 1.3 confirms that the gateway accepts both.The client simulation section shows connection results by client:
The simulated client requests confirm that only clients supporting TLS 1.2 and TLS 1.3 can establish connections.
(Optional) If you need to use TLS 1.2 only, perform the following steps:
Update the gateway YAML by setting both
maxProtocolVersionandminProtocolVersiontoTLSV1_2:apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: name: mysdsgateway namespace: default spec: selector: istio: ingressgateway servers: - hosts: - '*' port: name: https number: 443 protocol: HTTPS tls: credentialName: myexample-credential maxProtocolVersion: TLSV1_2 minProtocolVersion: TLSV1_2 mode: SIMPLERun the following command to verify that only TLS 1.2 is supported:
docker run --rm -ti registry.cn-hangzhou.aliyuncs.com/acs/testssl.sh https://IP address of the ingress gateway/productpageExpected protocol output:
Testing protocols via sockets except NPN+ALPN SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 not offered TLS 1.1 not offered TLS 1.2 offered (OK) TLS 1.3 not offered and downgraded to a weaker protocolnot offeredfor TLS 1 and TLS 1.1, andnot offered and downgraded to a weaker protocolfor TLS 1.3 confirm that only TLS 1.2 is accepted.Client simulation output:
The simulated client requests confirm that only clients supporting TLS 1.2 can establish connections.
(Optional) If you need to use TLS 1.3 only, perform the following steps:
Update the gateway YAML by setting both
maxProtocolVersionandminProtocolVersiontoTLSV1_3:apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: name: mysdsgateway namespace: default spec: selector: istio: ingressgateway servers: - hosts: - '*' port: name: https number: 443 protocol: HTTPS tls: credentialName: myexample-credential maxProtocolVersion: TLSV1_3 minProtocolVersion: TLSV1_3 mode: SIMPLERun the following command to verify that only TLS 1.3 is supported:
docker run --rm -ti registry.cn-hangzhou.aliyuncs.com/acs/testssl.sh https://IP address of the ingress gateway/productpageExpected protocol output:
Testing protocols via sockets except NPN+ALPN SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 not offered TLS 1.1 not offered TLS 1.2 not offered TLS 1.3 offered (OK): finalnot offeredfor TLS 1.0, TLS 1.1, and TLS 1.2 confirms that only TLS 1.3 is accepted.Client simulation output:
The simulated client requests confirm that only clients supporting TLS 1.3 can establish connections.