Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Support host level dynamic setting of tls protocol version #9885

Closed
AlinsRan opened this issue Jul 24, 2023 · 0 comments · Fixed by #9903
Closed

feat: Support host level dynamic setting of tls protocol version #9885

AlinsRan opened this issue Jul 24, 2023 · 0 comments · Fixed by #9903
Assignees
@AlinsRan

Comments

@AlinsRan
Copy link
Contributor

AlinsRan commented Jul 24, 2023
edited
Loading

1. Background

In the communication between the end point product and the server, we need to consider the TLS protocol compatibility of multiple end point products. For example, some old products, old Android mobile phones, TVs and other end point devices still use the lower-level TLSv1.1 protocol version, while new products use the higher-level TLS protocol version. If the new product supports TLSv1.1, it may bring some security risks. In order to ensure that the product can establish secure communication, we need to adapt between protocol versions.

1.1 Problem to be solved

At present, APISIX can only configure the version of TLS through the config.yaml file, and it takes effect for all hosts, which lacks flexibility. OpenResty has a feature that can specify the characteristics of the TLS protocol version according to the host in the ssl_client_hello_by_lua_block stage. APISIX can use this feature to allow users to dynamically set different TLS versions for each host according to their own needs.

1.2 The benefits of solving this problem

  • It provides users with more flexibility to dynamically set different TLS protocols for each host according to their needs
  • Enhanced APISIX dynamic configuration capabilities

2. Goals

In APISIX, different TLS protocol versions can be dynamically configured for each host.

3. Detailed design (SSL admin API)

In APISIX, a new tls protocol selection phase http_ssl_protocols_phase() is added, which is responsible for specifying the corresponding TLS protocol version in the configuration according to the SSL object matched by the SNI in the Client Hello phase of the SSL handshake.
The execution order of each stage of APISIX is as follows:

http_ssl_protocols_phase() -> http_ssl_phase() -> http_access_phase() -> ...

  • ngx_tpl.lua
         {% if ssl.enable then %}
+        ssl_client_hello_by_lua_block {
+            apisix.http_ssl_protocols_phase()
+        }
+
         ssl_certificate_by_lua_block {
             apisix.http_ssl_phase()
         }
         {% end %}

3.1 configuration

name Required Type Default Describe
snis yes   A non-empty array of HTTPS SNI
ssl_protocols yes string ["TLSv1.2", "TLSv1.3"] It is associated with snis and is used to control the SSL/TLS protocol version used between servers and clients

Simply add ssl_protocols configuration in the ssl resource, specify the protocol version of TLS for the domain name in the snis list, the default value ["TLSv1.2", "TLSv1.3"].
As shown in the following example, for test.com domain name, the TLS protocol version is specified as TLSv1.2, TLSv1.3.

# curl http://127.0.0.1:9180/admin/apisix/ssls/1
{
    "cert": "$cert",     
    "key": "$key",      
    "snis": ["test.com"],   
    "ssl_protocols": [
        "TLSv1.2",
        "TLSv1.3"
    ]
}

3.2 Configuration instructions

  • Static configuration
    The ssl_protocols parameters in the static configuration will apply to all apisix nodes, but cannot be dynamically modified.
apisix:
  ssl:
    ssl_protocols: TLSv1.2 TLSv1.3
  • Dynamic resource allocation
    Dynamic resource configuration is to create and manage ssl resources through the admin API interface of apisix. The new ssl. ssl_protocols configuration item can control fine grain for the host and dynamically specify the TLS protocol version of each host.
# curl http://127.0.0.1:9180/admin/apisix/ssls/1
{
    "cert": "$cert",     
    "key": "$key",      
    "snis": ["test.com"],   
    "ssl_protocols": [
        "TLSv1.2",
        "TLSv1.3"
    ]
}

The configuration will be subject to the ssl resource, and the static configuration will be overwritten . For example, if you set ssl_protocols: TLSv1.2 TLSv1.3 in config.yaml, but set ssl.ssl_protocols: [TLSv1.3] in the resource configuration, then the final apisix will use the TLSv1.3 protocol. Therefore, when using the ssl configuration of apisix, you need to pay attention to the following points:

  • SSL resource configuration will override static configuration globally, subject to resource configuration.
  • The ssl resource configuration can be dynamically modified, and the static configuration needs to be restarted apisix to take effect.
  • SSL resource configuration can be controlled according to sni fine grain, static configuration only acts on apisix global.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AlinsRan AlinsRan

Labels
None yet
Projects
Apache APISIX Roadmap for 2023 Q3&Q4
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: support host level dynamic setting of tls protocol version AlinsRan/apisix
1 participant
@AlinsRan