Support ssl_reject_handshake in Ingress and VS #1500
Merged
Commits on Apr 2, 2021
-
Support ssl_reject_handshake in Ingress and VS
To handle missing or invalid TLS Secrets in Ingress and VirtualServer resources, previously the Ingress Controller would generate the following configuration: ssl_certificate /etc/nginx/secrets/default; ssl_certificate_key /etc/nginx/secrets/default; ssl_ciphers NULL; The configuration will break any attempts for clients to establish TLS connections for the affected server in NGINX. The configuration has the following limitations: - It requires a TLS cert and key (we used the default server Secret as it was always present on the file system) - It doesn't work if clients and NGINX use TLS v1.3: NGINX will terminate TLS connection. This commit introduces the new ssl_reject_handshake directive, which configures NGINX to break any attempt to establish a TLS connection: ssl_reject_handshake on; The directive addresses the mentioned limitations: it doesn't require a TLS cert and key and works with TLS v1.3.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.