Compute Services

IBM Cloud Kubernetes Service ALB Update: TLS 1.0 and 1.1 Disabled By Default

Share this post:

TLS 1.0 and 1.1 disabled by default in IBM Cloud Kubernetes Service ALB upgrade

In keeping with our goal to provide you with a robust, trusted platform for your applications, and to comply with the PCI Security Standards Council mandate, the Ingress controller will have TLS 1.0 and 1.1 disabled by default in the upcoming version upgrade of the IBM Cloud Kubernetes Service ALB.

Although TLS 1.2 is supported by the Ingress controller and used by connecting clients by default, it still has TLS 1.0 and 1.1 enabled to allow older devices to connect that do not support TLS 1.2 yet. In the past two years, the industry has moved on from TLS 1.0 and 1.1 and the number of devices out there requiring it has decreased dramatically.

What is TLS?

TLS stands for Transport Layer Security. It is a protocol that provides privacy and data integrity between two communicating applications. It is the most widely deployed security protocol and is used for web browsers and other applications that require data to be securely exchanged over a network. TLS ensures that a connection to a remote endpoint is the intended endpoint through encryption and endpoint identity verification.

When will this happen?

The update will be rolled out automatically to all customers who have not opted out from auto-update on January 22, 2019.

If you wish to update at your schedule, you can opt-out from auto-updates.

What do I have to do?

If the clients connecting to your application exposed via the Ingress do support TLS 1.2, you do not have to do anything, the clients won’t be affected.

If you still have legacy clients that require TLS 1.0 or 1.1 support, you will have to manually enable them by listing the required version(s) in the ssl-protocols line of the ibm-cloud-provider-ingress-cm configmap. For further details, please see the official documentation section Configuring SSL protocols and SSL ciphers at the HTTP level.

How can I investigate?

You can verify that your client browser supports TLS 1.2 using the SSL Test tool from SSL Labs. You can also check the User Agent Capabilities list.

Additionally, you can enable in the ALB logs to see what TLS version and ciphers your users are connecting with by going through the following steps:

  1. Edit your ALB configmap:
    $ kubectl edit cm ibm-cloud-provider-ingress-cm -n kube-system
  2. Add the following two lines into the data: section. (Make sure the indentation is correct.)

      log-format: '{"time_date": "$time_iso8601", "client": "$remote_addr", "host": "$http_host",
        "scheme": "$scheme", "request_method": "$request_method", "request_uri": "$uri",
        "request_id": "$request_id", "status": $status, "upstream_addr": "$upstream_addr",
        "upstream_status": $upstream_status, "request_time": $request_time, "upstream_response_time":
        $upstream_response_time, "upstream_connect_time": $upstream_connect_time, "upstream_header_time":
        $upstream_header_time, "ssl_cipher": "$ssl_cipher", "ssl_protocol": "$ssl_protocol"}'
  3. Save the configmap, and you are done.
  4. Optional: Verify with the following command:
    $ kubectl get cm ibm-cloud-provider-ingress-cm -n kube-system -o yaml

The ALB will get reconfigured to add the TLS version and cipher to the logs.

Just as a reference, the configmap should look approximately like this before saving:

Contact us

If you have questions, engage our team via Slack by registering here and join the discussion in the #general channel on our public IBM Cloud Kubernetes Service Slack.

Chief Architect, Networking – IBM Cloud Kubernetes Service

More Compute Services stories
May 7, 2019

We’ve Moved! The IBM Cloud Blog Has a New URL

In an effort better integrate the IBM Cloud Blog with the IBM Cloud web experience, we have migrated the blog to a new URL: www.ibm.com/cloud/blog.

Continue reading

May 6, 2019

Use IBM Cloud Certificate Manager to Obtain Let’s Encrypt TLS Certificates for Your Public Domains

IBM Cloud Certificate Manager now lets you obtain TLS certificates signed by Let’s Encrypt. Let’s Encrypt is an automated, ACME-protocol-based CA that issues free certificates valid for 90 days.

Continue reading

May 6, 2019

Are You Ready for SAP S/4HANA Running on Cloud?

Our clients tell us SAP applications are central to their success and strategy for cloud, with a deadline to refresh the business processes and move to SAP S/4HANA by 2025. Now is the time to assess, plan and execute the journey to cloud and SAP S/4HANA

Continue reading