Nginx Ingress is using a weak TLS cipher suites since 0.27.1

[ericsuhong]

NGINX Ingress controller version: Regressed since 0.27.1, and confirmed that we have the same issue on 0.30.0 as well.

Kubernetes version (use kubectl version): 1.16.9

Environment: Azure

• Cloud provider or hardware configuration:
• OS (e.g. from /etc/os-release): Ubuntu 16.04

What happened:

Since version 0.27.1, Nginx Ingress Controller started to use a weak TLS cipher suites which start to get our services get flagged in SSLScanner tool:

We are getting flagged for missing TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 and TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 cipher suits in SSLScanner.

This issue never happens on version 0.26.2.

What you expected to happen:

Nginx Ingress Controller should use a correct TLS cipher suites that include following two cipher suites:

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

How to reproduce it:
Reproducible in nginx ingress controllers since 0.27.1

[aledbf]

Closing. Please update to 0.32.0. #5358

[sslavic]

IIUC to address this issue i.e. @ericsuhong's #4813 (comment), ingress-nginx release 0.32.0 (through #5358) has updated documentation instructing one how to on demand to re-enable weak ciphers https://kubernetes.github.io/ingress-nginx/user-guide/tls/#legacy-tls

0.32.0 does not change default ssl ciphers, weak ones are not reintroduced. (+1 from me for that)

A future release (0.32.1?) will likely enable TLS 1.3 protocol by default (once #5491 is merged and released). Enabling TLS 1.3 protocol is just that, has no effect on default ciphers, they remain unchanged, i.e. weak ones removed through #4813 are not going to be (re)enabled by default, documented user action is needed to override the default configuration and reenable weak ciphers on demand.