Disable TLS 1.0 and TLS 1.1 in nginx-ingress on GKE

Question

I want to disable TLS 1.0 and TLS 1.1 from my website.

The website is hosted on the google cloud platform Kubernetes engine.

I used this Nginx ingress https://cloud.google.com/community/tutorials/nginx-ingress-gke

And for the SSL certificate, I used cert-manager from this tutorial https://youtu.be/hoLUigg4V18

I don't get where I should do the change. Should it be done from:

• ingress YAML file
• cert-manager
• load balancer on GCP

I tried to create an SSL policy on GCP but I wasn't able to add a target because it should be a GCE ingress, not Nginx (I have to use Nginx due to lack of required metadata in GCE) I also tried creating a config map file but still, they are enabled.

Answer 1

It seems that default nginx-ingress defaults to using TLS 1.2 and 1.3 only, please check documentation about Nginx Ingress.

You can verify by using openssl as follows:

To verify if TLSv1.0 is disabled, run the following command:

echo|openssl s_client -servername  -connect :443 -tls1 2>&1 | grep -c 'ssl handshake failure'

To verify if TLSv1.1 is disabled, run the following command:

echo|openssl s_client -servername  -connect :443 -tls1_1 2>&1 | grep -c 'ssl handshake failure'

A return integer greater than 0 means that TLSv1.0 or TLSv1.1 is disabled

Verifying via OpenSSL: TLSv1.2 enabled

echo|openssl s_client -servername  -connect :443 -tls1_2 2>&1 | grep -c 'ssl handshake failure'

A return integer of 0 means that TLSv1.2 is enabled

Determine which TLS versions and ciphers are enabled via Nmap

You can determine which TLS versions and ciphers are enabled for each hostname using the following command:

nmap -sV --script ssl-enum-ciphers -p 443 

Another tool is at https://github.com/drwetter/testssl.sh.