IBM Cloud Kubernetes Service ALB Update: TLS 1.0 and 1.1 Disabled By Default

By: Arpad Kun

TLS 1.0 and 1.1 disabled by default in IBM Cloud Kubernetes Service ALB upgrade

In keeping with our goal to provide you with a robust, trusted platform for your applications, and to comply with the PCI Security Standards Council mandate, the Ingress controller will have TLS 1.0 and 1.1 disabled by default in the upcoming version upgrade of the IBM Cloud Kubernetes Service ALB.

Although TLS 1.2 is supported by the Ingress controller and used by connecting clients by default, it still has TLS 1.0 and 1.1 enabled to allow older devices to connect that do not support TLS 1.2 yet. In the past two years, the industry has moved on from TLS 1.0 and 1.1 and the number of devices out there requiring it has decreased dramatically.

What is TLS?

TLS stands for Transport Layer Security. It is a protocol that provides privacy and data integrity between two communicating applications. It is the most widely deployed security protocol and is used for web browsers and other applications that require data to be securely exchanged over a network. TLS ensures that a connection to a remote endpoint is the intended endpoint through encryption and endpoint identity verification.

When will this happen?

The update will be rolled out automatically to all customers who have not opted out from auto-update on January 14, 2018.

If you wish to update at your schedule, you can opt-out from auto-updates.

What do I have to do?

If the clients connecting to your application exposed via the Ingress do support TLS 1.2, you do not have to do anything, the clients won’t be affected.

If you still have legacy clients that require TLS 1.0 or 1.1 support, you will have to manually enable them by listing the required version(s) in the ssl-protocols line of the ibm-cloud-provider-ingress-cmconfigmap. For further details, please see the official documentation section Configuring SSL protocols and SSL ciphers at the HTTP level.

How can I investigate?

You can verify that your client browser supports TLS 1.2 using the SSL Test tool from SSL Labs. You can also check the User Agent Capabilities list.

Additionally, you can enable in the ALB logs to see what TLS version and ciphers your users are connecting with by going through the following steps:

  1. Edit your ALB configmap:

    $ kubectl edit cm ibm-cloud-provider-ingress-cm -n kube-system
  2. Add the following two lines into the data: section. (Make sure the indentation is correct.)

      log-format: '{"time_date": "$time_iso8601", "client": "$remote_addr", "host": "$http_host",
        "scheme": "$scheme", "request_method": "$request_method", "request_uri": "$uri",
        "request_id": "$request_id", "status": $status, "upstream_addr": "$upstream_addr",
        "upstream_status": $upstream_status, "request_time": $request_time, "upstream_response_time":
        $upstream_response_time, "upstream_connect_time": $upstream_connect_time, "upstream_header_time":
        $upstream_header_time, "ssl_cipher": "$ssl_cipher", "ssl_protocol": "$ssl_protocol"}'
  3. Save the configmap, and you are done.

  4. Optional: Verify with the following command:

    $ kubectl get cm ibm-cloud-provider-ingress-cm -n kube-system -o yaml

The ALB will get reconfigured to add the TLS version and cipher to the logs.

Just as a reference, the configmap should look approximately like this before saving:

Just as a reference, the configmap should look approximately like this before saving:

 

Be the first to hear about news, product updates, and innovation from IBM Cloud