Older Transport Layer Security (TLS) versions, such as TLS 1.0 and TLS 1.1, have known vulnerabilities that expose HTTPS traffic to man-in-the-middle attacks and data breaches. Configure your Alibaba Cloud Service Mesh (ASM) ingress gateway to enforce TLS 1.2 or later by setting the minProtocolVersion field in the Gateway resource.
Background information
Early TLS versions, including TLS 1.0, have known security issues that can lead to data breaches during transmission. The best practice for enhancing website security is to replace TLS 1.0 and TLS 1.1 with TLS 1.2 or later. You must also disable weak cipher suites in TLS 1.2.
Prerequisites
Before you begin, make sure that you have:
-
An ASM instance of Enterprise Edition or Ultimate Edition, version v1.14 or later. For more information, see Create an ASM instance and Update an ASM instance
-
A cluster added to the ASM instance. For more information, see Add a cluster to an ASM instance
-
An ingress gateway deployed. For more information, see Create an ingress gateway
-
An application deployed in the ASM instance. For more information, see Deploy an application in an ASM instance
Step 1: Prepare a TLS certificate and private key
Create a TLS certificate and private key for the ingress gateway, then store them in a Kubernetes secret or ASM certificate. The following example uses the aliyun.com domain. If you already have a certificate and private key for this domain, rename them to aliyun.com.crt and aliyun.com.key, and skip to substep 3.
-
Generate a root certificate and private key:
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 \ -subj '/O=myexample Inc./CN=aliyun.com' \ -keyout aliyun.root.key -out aliyun.root.crt -
Generate a server certificate and private key for
aliyun.com:openssl req -out aliyun.com.csr -newkey rsa:2048 -nodes \ -keyout aliyun.com.key -subj "/CN=aliyun.com/O=myexample organization" openssl x509 -req -days 365 -CA aliyun.root.crt -CAkey aliyun.root.key \ -set_serial 0 -in aliyun.com.csr -out aliyun.com.crt -
Store the certificate and private key. The method depends on your ASM version:
ASM versions earlier than v1.17
Connect to the cluster that hosts the ingress gateway pod using kubectl, then create a TLS secret in the
istio-systemnamespace:kubectl create -n istio-system secret tls myexample-credential \ --key=aliyun.com.key --cert=aliyun.com.crtImportantThe secret name must not start with
istioorprometheus, and must not contain atokenfield.ASM v1.17 or later
-
Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
-
On the Mesh Management page, click the name of your ASM instance. In the left-side navigation pane, choose ASM Gateways > Certificate Management.
-
On the Certificate Management page, click Create. In the Certificate Information panel, configure the following parameters and click OK.
Parameter Value Name myexample-credentialPublic Key Certificate Paste the content of the aliyun.com.crtfile generated in substep 2Private Key Paste the content of the aliyun.com.keyfile generated in substep 2
-
Step 2: Create an Istio gateway with TLS version enforcement
-
Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
-
On the Mesh Management page, click the name of your ASM instance. In the left-side navigation pane, choose ASM Gateways > Gateway. Click Create from YAML.
-
Select a namespace and paste the following YAML. The
minProtocolVersion: TLSV1_2setting rejects all connections that use TLS 1.0 or TLS 1.1:apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: name: mysdsgateway spec: selector: istio: ingressgateway servers: - hosts: - '*' port: name: https number: 443 protocol: HTTPS tls: credentialName: myexample-credential minProtocolVersion: TLSV1_2 mode: SIMPLE
Step 3: Create a VirtualService
-
On the ASM instance details page, choose Traffic Management Center > VirtualService in the left-side navigation pane. Click Create from YAML.
-
Select a namespace and paste the following YAML:
apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: bookinfo-tlsversion-sample spec: gateways: - mysdsgateway-tlsversion-sample hosts: - '*' http: - match: - uri: exact: /productpage - uri: prefix: /static - uri: exact: /login - uri: exact: /logout - uri: prefix: /api/v1/products route: - destination: host: productpage port: number: 9080
Step 4: Verify the TLS configuration
Use testssl.sh to verify which TLS versions the ingress gateway accepts. testssl.sh is an open-source command-line tool that checks TLS/SSL protocol support, cipher suites, and known vulnerabilities on any server endpoint.
Run testssl.sh against the ingress gateway:
docker run --rm -ti registry.cn-hangzhou.aliyuncs.com/acs/testssl.sh https://<ingress-gateway-ip>/productpageReplace <ingress-gateway-ip> with the IP address of your ingress gateway.
Verify TLS 1.2 and later (recommended)
With minProtocolVersion set to TLSV1_2 (as configured in Step 2), the expected output shows:
| Protocol | Status |
|---|---|
| SSLv2 | Not offered |
| SSLv3 | Not offered |
| TLS 1.0 | Not offered |
| TLS 1.1 | Not offered |
| TLS 1.2 | Offered |
| TLS 1.3 | Offered |
Only clients that support TLS 1.2 or TLS 1.3 can connect. Older clients (such as IE 8, Java 7) are rejected.
(Optional) Restrict to TLS 1.2 only
To allow only TLS 1.2 connections and reject TLS 1.3, set both minProtocolVersion and maxProtocolVersion to TLSV1_2:
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: mysdsgateway
namespace: default
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- '*'
port:
name: https
number: 443
protocol: HTTPS
tls:
credentialName: myexample-credential
maxProtocolVersion: TLSV1_2
minProtocolVersion: TLSV1_2
mode: SIMPLERun testssl.sh again to verify. The expected results:
| Protocol | Status |
|---|---|
| SSLv2 | Not offered |
| SSLv3 | Not offered |
| TLS 1.0 | Not offered |
| TLS 1.1 | Not offered |
| TLS 1.2 | Offered |
| TLS 1.3 | Not offered (downgraded to a weaker protocol) |
Only clients that support TLS 1.2 can connect. All TLS 1.3-only clients fall back to TLS 1.2.
(Optional) Restrict to TLS 1.3 only
To enforce TLS 1.3 exclusively, set both minProtocolVersion and maxProtocolVersion to TLSV1_3:
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: mysdsgateway
namespace: default
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- '*'
port:
name: https
number: 443
protocol: HTTPS
tls:
credentialName: myexample-credential
maxProtocolVersion: TLSV1_3
minProtocolVersion: TLSV1_3
mode: SIMPLETLS 1.3-only mode significantly reduces client compatibility. Many older browsers, Java 8, OpenSSL 1.0.x, and LibreSSL 2.x cannot connect. Test client compatibility before enforcing TLS 1.3 in production.
Run testssl.sh again to verify. The expected results:
| Protocol | Status |
|---|---|
| SSLv2 | Not offered |
| SSLv3 | Not offered |
| TLS 1.0 | Not offered |
| TLS 1.1 | Not offered |
| TLS 1.2 | Not offered |
| TLS 1.3 | Offered |
Only clients that support TLS 1.3 can connect. All TLS 1.2-only clients are rejected.