Default ciphers not available

[MMeent]

For both v0.30.0 and v0.32.0, I've seen the following behaviour:

config:

data:
	"ssl-protocols": "TLSv1.2 TLSv1.3",

Using this config on a domain with a 2048-bit RSA-key, we're only seeing the following cipher suites when running nmap --script ssl-enum-ciphers -p 443 <servername> on our server

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|_  least strength: A

... which seems incomplete, seeing that the default list of ciphers is 8 entries:

ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384

This is kind of annoying, as one of our customers still runs WS 2012R2, which of the above list somehow supports only DHE-RSA-AES128-GCM-SHA256 and DHE-RSA-AES256-GCM-SHA384.

Is this a limitation of the combination of certificate with enabled ciphers, a configuration issue on my side, or an issue in the controller?

/triage support

[aledbf]

@MMeent you can adjust the ciphers https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#ssl-ciphers
Also, you should check the configuration with https://www.ssllabs.com/ssltest/analyze.html

[MMeent]

Also, you should check the configuration with https://www.ssllabs.com/ssltest/analyze.html

yes, i've done that, and got the same results as you got here - it's not showing the DHE ciphers, which I had expected based on the default configuration.

[aledbf]

it's not showing the DHE ciphers, which I had expected based on the default configuration.

DHE ciphers are not returned by openssl by default.

You could try to add the annotation nginx.ingress.kubernetes.io/ssl-prefer-server-ciphers: "false" in the ingress you have to accept what your client sends.

[MMeent]

I've looked around, and found that setting ssl_dhparams is nescessary to get DHE-based cyphers working in nginx. This was hidden somewhat deep inside the nginx-documentation, and I couldn't find any other documentation regarding this limitation, neither in this repo or while searching online.

But, thanks for the help, I've solved it by configuring DH parameters as per https://github.com/kubernetes/ingress-nginx/tree/master/docs/examples/customization/ssl-dh-param

[mtparet]

I have been hit by the same issue.
It's confusing to see the list of ciphers activated which in fact are not really activated.
I think the document should be improved to explicit say that these ciphers will not be proposed until this the dh param is set.

[PascalTurbo]

When setting things up like explained by @mtparet I only find a log entry in ingress pods:

Error adding or updating dhparam file ingress-lb-dhparam: no valid PEM formatted block found

I even has no idea where I can look which file is mounted to check, if everything is right.