全部產品
Search
文件中心

Alibaba Cloud Service Mesh:在ASM網關配置TLS協議版本增強安全性

更新時間:Jun 30, 2024

當面臨因使用老舊TLS協議引發的安全隱患時,您可以在ASM網關配置TLS協議版本至最新安全標準,通過禁用不安全的舊版本(如TLS 1.0和1.1)並啟用更強大的TLS 1.2及更高版本,從而有效抵禦中間人攻擊、防止資料泄露等安全風險,確保服務與用戶端之間HTTPS串連的穩固性和安全性。

前提條件

背景資訊

包括TLS v1.0在內的早期TLS版本存在已知的安全問題,容易導致傳輸中的資料泄露。因此,一個增強網站安全性的最佳做法是禁用早期版本的TLS(v1.0和v1.1)並僅啟用TLS v1.2及更高版本。同時,禁用TLS v1.2中的弱密碼也非常重要。

步驟一:準備網關使用的認證和私密金鑰

以網域名稱aliyun.com為例,為網關產生認證和私密金鑰,並儲存為Secret。例如,如果您已經擁有針對aliyun.com可用的認證和私密金鑰,需要將密鑰命名為aliyun.com.key,認證命名為aliyun.com.crt;如果沒有,可以通過openssl執行以下步驟來產生認證和密鑰。

  1. 執行以下命令,建立根憑證和私密金鑰。

    openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=myexample Inc./CN=aliyun.com' -keyout aliyun.root.key -out aliyun.root.crt
  2. 執行以下命令,為aliyun.com伺服器產生認證和私密金鑰。

    openssl req -out aliyun.com.csr -newkey rsa:2048 -nodes -keyout aliyun.com.key -subj "/CN=aliyun.com/O=myexample organization"
    openssl x509 -req -days 365 -CA aliyun.root.crt -CAkey aliyun.root.key -set_serial 0 -in aliyun.com.csr -out aliyun.com.crt
  3. 按照ASM執行個體版本,建立Secret或認證。

    • ASM執行個體為1.17以下

      在入口網關Pod所在的叢集對應的KubeConfig環境下,執行以下命令,在istio-system命名空間中建立包含認證和私密金鑰的Secret。

      kubectl create -n istio-system secret tls myexample-credential --key=aliyun.com.key --cert=aliyun.com.crt
      重要

      Secret名稱不能以istio或prometheus開頭,且不能包含token欄位。

    • ASM執行個體為1.17及以上

      1. 登入ASM控制台,在左側導覽列,選擇服務網格 > 網格管理

      2. 網格管理頁面,單擊目標執行個體名稱,然後在左側導覽列,選擇ASM網關 > 認證管理

      3. 認證管理頁面,單擊建立,然後在認證資訊面板,配置相關資訊,單擊確定

        配置項

        說明

        名稱

        輸入認證的名稱,本樣本為myexample-credential

        密鑰憑證

        步驟2產生的aliyun.com.crt內容。

        私密金鑰

        步驟2產生的aliyun.com.key內容。

步驟二:建立網關規則

  1. 登入ASM控制台,在左側導覽列,選擇服務網格 > 網格管理

  2. 網格管理頁面,單擊目標執行個體名稱,然後在左側導覽列,選擇ASM網關 > 網關規則,然後單擊使用YAML建立

  3. 建立頁面,選擇目標命名空間和任意情境模板,配置如下YAML。

    本文以default命名空間為例,YAML中設定minProtocolVersion值為TLSV1_2,表示禁用TLS v1.0和v1.1。

    apiVersion: networking.istio.io/v1beta1
    kind: Gateway
    metadata:
      name: mysdsgateway
    spec:
      selector:
        istio: ingressgateway
      servers:
        - hosts:
            - '*'
          port:
            name: https
            number: 443
            protocol: HTTPS
          tls:
            credentialName: myexample-credential
            minProtocolVersion: TLSV1_2
            mode: SIMPLE

步驟三:建立虛擬服務

  1. 在網格詳情頁面左側導覽列,選擇流量管理中心 > 虛擬服務,然後在右側頁面,單擊使用YAML建立

  2. 建立頁面,選擇目標命名空間和任意情境模板,配置如下YAML。

    展開查看VirtualService YAML

    apiVersion: networking.istio.io/v1beta1
    kind: VirtualService
    metadata:
      name: bookinfo-tlsversion-sample
    spec:
      gateways:
        - mysdsgateway-tlsversion-sample
      hosts:
        - '*'
      http:
        - match:
            - uri:
                exact: /productpage
            - uri:
                prefix: /static
            - uri:
                exact: /login
            - uri:
                exact: /logout
            - uri:
                prefix: /api/v1/products
          route:
            - destination:
                host: productpage
                port:
                  number: 9080

步驟四:驗證TLS版本

testssl.sh是一個免費的命令列工具,可以檢查伺服器在任何連接埠上的服務是否支援TLS/SSL密鑰、協議以及一些加密缺陷等。本文使用testssl.sh對TLS版本進行驗證。

  1. 執行以下命令,以容器方式運行testssl.sh

    docker run --rm -ti  registry.cn-hangzhou.aliyuncs.com/acs/testssl.sh https://網關地址/productpage

    展開查看預期輸出

    Testing protocols via sockets except NPN+ALPN
    
    SSLv2      not offered (OK)
    SSLv3      not offered (OK)
    TLS 1      not offered
    TLS 1.1    not offered
    TLS 1.2    offered (OK)
    TLS 1.3    offered (OK): final
    
    ......
    Running client simulations (HTTP) via sockets
    
    Browser                      Protocol  Cipher Suite Name (OpenSSL)       Forward Secrecy
    ------------------------------------------------------------------------------------------------
    Android 6.0                  TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
    Android 7.0 (native)         TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
    Android 8.1 (native)         TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       253 bit ECDH (X25519)
    Android 9.0 (native)         TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
    Android 10.0 (native)        TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
    Android 11 (native)          TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
    Android 12 (native)          TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
    Chrome 79 (Win 10)           TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
    Chrome 101 (Win 10)          TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
    Firefox 66 (Win 8.1/10)      TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
    Firefox 100 (Win 10)         TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
    IE 6 XP                      No connection
    IE 8 Win 7                   No connection
    IE 8 XP                      No connection
    IE 11 Win 7                  No connection
    IE 11 Win 8.1                No connection
    IE 11 Win Phone 8.1          No connection
    IE 11 Win 10                 TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
    Edge 15 Win 10               TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       253 bit ECDH (X25519)
    Edge 101 Win 10 21H2         TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
    Safari 12.1 (iOS 12.2)       TLSv1.3   TLS_CHACHA20_POLY1305_SHA256      253 bit ECDH (X25519)
    Safari 13.0 (macOS 10.14.6)  TLSv1.3   TLS_CHACHA20_POLY1305_SHA256      253 bit ECDH (X25519)
    Safari 15.4 (macOS 12.3.1)   TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
    Java 7u25                    No connection
    Java 8u161                   TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
    Java 11.0.2 (OpenJDK)        TLSv1.3   TLS_AES_128_GCM_SHA256            256 bit ECDH (P-256)
    Java 17.0.3 (OpenJDK)        TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
    go 1.17.8                    TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
    LibreSSL 2.8.3 (Apple)       TLSv1.2   ECDHE-RSA-CHACHA20-POLY1305       253 bit ECDH (X25519)
    OpenSSL 1.0.2e               TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
    OpenSSL 1.1.0l (Debian)      TLSv1.2   ECDHE-RSA-CHACHA20-POLY1305       253 bit ECDH (X25519)
    OpenSSL 1.1.1d (Debian)      TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
    OpenSSL 3.0.3 (git)          TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
    Apple Mail (16.0)            TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
    Thunderbird (91.9)           TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)

    由預期輸出得到,TLS 1和TLS 1.1版本均為not offered,說明已禁用這兩個版本;TLS 1.2和1.3版本均為offered,說明支援這兩個版本。

    在用戶端的類比請求中,也可以看到只有支援TLS 1.2和1.3版本的用戶端才能建立串連。

  2. 可選:若您需要嚴格限制到TLS 1.2版本,請參照以下步驟。

    1. 參照如下YAML,修改Gateway網關規則配置,設定maxProtocolVersionminProtocolVersion均為TLSV1_2

      apiVersion: networking.istio.io/v1beta1
      kind: Gateway
      metadata:
        name: mysdsgateway
        namespace: default
      spec:
        selector:
          istio: ingressgateway
        servers:
          - hosts:
              - '*'
            port:
              name: https
              number: 443
              protocol: HTTPS
            tls:
              credentialName: myexample-credential
              maxProtocolVersion: TLSV1_2
              minProtocolVersion: TLSV1_2
              mode: SIMPLE
    2. 執行以下命令,進行驗證測試。

      docker run --rm -ti  registry.cn-hangzhou.aliyuncs.com/acs/testssl.sh https://網關地址/productpage

      展開查看預期輸出

       Testing protocols via sockets except NPN+ALPN
      
       SSLv2      not offered (OK)
       SSLv3      not offered (OK)
       TLS 1      not offered
       TLS 1.1    not offered
       TLS 1.2    offered (OK)
       TLS 1.3    not offered and downgraded to a weaker protocol
      
      ......
       Running client simulations (HTTP) via sockets
      
       Browser                      Protocol  Cipher Suite Name (OpenSSL)       Forward Secrecy
      ------------------------------------------------------------------------------------------------
       Android 6.0                  TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
       Android 7.0 (native)         TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
       Android 8.1 (native)         TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       253 bit ECDH (X25519)
       Android 9.0 (native)         TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       253 bit ECDH (X25519)
       Android 10.0 (native)        TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       253 bit ECDH (X25519)
       Android 11 (native)          TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       253 bit ECDH (X25519)
       Android 12 (native)          TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       253 bit ECDH (X25519)
       Chrome 79 (Win 10)           TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       253 bit ECDH (X25519)
       Chrome 101 (Win 10)          TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       253 bit ECDH (X25519)
       Firefox 66 (Win 8.1/10)      TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       253 bit ECDH (X25519)
       Firefox 100 (Win 10)         TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       253 bit ECDH (X25519)
       IE 6 XP                      No connection
       IE 8 Win 7                   No connection
       IE 8 XP                      No connection
       IE 11 Win 7                  No connection
       IE 11 Win 8.1                No connection
       IE 11 Win Phone 8.1          No connection
       IE 11 Win 10                 TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
       Edge 15 Win 10               TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       253 bit ECDH (X25519)
       Edge 101 Win 10 21H2         TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       253 bit ECDH (X25519)
       Safari 12.1 (iOS 12.2)       TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       253 bit ECDH (X25519)
       Safari 13.0 (macOS 10.14.6)  TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       253 bit ECDH (X25519)
       Safari 15.4 (macOS 12.3.1)   TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       253 bit ECDH (X25519)
       Java 7u25                    No connection
       Java 8u161                   TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
       Java 11.0.2 (OpenJDK)        TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
       Java 17.0.3 (OpenJDK)        TLSv1.2   ECDHE-RSA-CHACHA20-POLY1305       253 bit ECDH (X25519)
       go 1.17.8                    TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       253 bit ECDH (X25519)
       LibreSSL 2.8.3 (Apple)       TLSv1.2   ECDHE-RSA-CHACHA20-POLY1305       253 bit ECDH (X25519)
       OpenSSL 1.0.2e               TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
       OpenSSL 1.1.0l (Debian)      TLSv1.2   ECDHE-RSA-CHACHA20-POLY1305       253 bit ECDH (X25519)
       OpenSSL 1.1.1d (Debian)      TLSv1.2   ECDHE-RSA-CHACHA20-POLY1305       253 bit ECDH (X25519)
       OpenSSL 3.0.3 (git)          TLSv1.2   ECDHE-RSA-CHACHA20-POLY1305       253 bit ECDH (X25519)
       Apple Mail (16.0)            TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       256 bit ECDH (P-256)
       Thunderbird (91.9)           TLSv1.2   ECDHE-RSA-AES128-GCM-SHA256       253 bit ECDH (X25519)

      由預期輸出得到,TLS 1和TLS 1.1版本均為not offered,TLS 1.3版本為not offered and downgraded to a weaker protocol,說明已禁用這三個版本;TLS 1.2版本為offered,說明只支援TLS 1.2版本。

      在用戶端的類比請求中,也可以看到只有支援TLS 1.2版本的用戶端才能建立串連。

  3. 可選:若您需要嚴格限制到TLS 1.3版本,請參照以下步驟。

    1. 參照如下YAML,修改Gateway網關規則配置,設定maxProtocolVersionminProtocolVersion均為TLSV1_3

      apiVersion: networking.istio.io/v1beta1
      kind: Gateway
      metadata:
        name: mysdsgateway
        namespace: default
      spec:
        selector:
          istio: ingressgateway
        servers:
          - hosts:
              - '*'
            port:
              name: https
              number: 443
              protocol: HTTPS
            tls:
              credentialName: myexample-credential
              maxProtocolVersion: TLSV1_3
              minProtocolVersion: TLSV1_3
              mode: SIMPLE
    2. 執行以下命令,進行驗證測試。

      docker run --rm -ti  registry.cn-hangzhou.aliyuncs.com/acs/testssl.sh https://網關地址/productpage

      展開查看預期輸出

      Testing protocols via sockets except NPN+ALPN
      
      SSLv2      not offered (OK)
      SSLv3      not offered (OK)
      TLS 1      not offered
      TLS 1.1    not offered
      TLS 1.2    not offered
      TLS 1.3    offered (OK): final
      
      ......
      Running client simulations (HTTP) via sockets
      
       Browser                      Protocol  Cipher Suite Name (OpenSSL)       Forward Secrecy
      ------------------------------------------------------------------------------------------------
       Android 6.0                  No connection
       Android 7.0 (native)         No connection
       Android 8.1 (native)         No connection
       Android 9.0 (native)         TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
       Android 10.0 (native)        TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
       Android 11 (native)          TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
       Android 12 (native)          TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
       Chrome 79 (Win 10)           TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
       Chrome 101 (Win 10)          TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
       Firefox 66 (Win 8.1/10)      TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
       Firefox 100 (Win 10)         TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
       IE 6 XP                      No connection
       IE 8 Win 7                   No connection
       IE 8 XP                      No connection
       IE 11 Win 7                  No connection
       IE 11 Win 8.1                No connection
       IE 11 Win Phone 8.1          No connection
       IE 11 Win 10                 No connection
       Edge 15 Win 10               No connection
       Edge 101 Win 10 21H2         TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
       Safari 12.1 (iOS 12.2)       TLSv1.3   TLS_CHACHA20_POLY1305_SHA256      253 bit ECDH (X25519)
       Safari 13.0 (macOS 10.14.6)  TLSv1.3   TLS_CHACHA20_POLY1305_SHA256      253 bit ECDH (X25519)
       Safari 15.4 (macOS 12.3.1)   TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
       Java 7u25                    No connection
       Java 8u161                   No connection
       Java 11.0.2 (OpenJDK)        TLSv1.3   TLS_AES_128_GCM_SHA256            256 bit ECDH (P-256)
       Java 17.0.3 (OpenJDK)        TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
       go 1.17.8                    TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)
       LibreSSL 2.8.3 (Apple)       No connection
       OpenSSL 1.0.2e               No connection
       OpenSSL 1.1.0l (Debian)      No connection
       OpenSSL 1.1.1d (Debian)      TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
       OpenSSL 3.0.3 (git)          TLSv1.3   TLS_AES_256_GCM_SHA384            253 bit ECDH (X25519)
       Apple Mail (16.0)            No connection
       Thunderbird (91.9)           TLSv1.3   TLS_AES_128_GCM_SHA256            253 bit ECDH (X25519)

      由預期輸出得到,TLS 1、TLS 1.1和TLS 1.2版本均為not offered,說明已禁用這三個版本;TLS 1.3版本為offered,說明只支援TLS 1.3版本。

      在用戶端的類比請求中,也可以看到只有支援TLS 1.3版本的用戶端才能建立串連。