Closed vicanso closed 1 week ago
By default https://docs.rs/pingora/0.2.0/pingora/listeners/struct.TlsSettings.html creates a TLS server setting that does not support TLSv1.1. According to https://wiki.mozilla.org/Security/Server_Side_TLS, you have to adjust your TLS settings to allow TLSv1.1, including the cipher, security level, ssl options as well as tmp_dh. It is cumbersome but using TLSv1.1 is discouraged.
The following works
// generated from openssl dhparam 1024
const DH: &str = "
-----BEGIN DH PARAMETERS-----
MIGHAoGBAOEz2IYhQ3IuU28X51BBS+o/s01zOdEaYCbIuiHOQTlviuKwWDiIPFqz
uxt2N265LnDYf1/vSO2E/m7XP1H5UEA4gtJ0J6FhyH9bgF0UHbAyzrwyFR4CboCn
Yskm+g1ZVWDyRs8UO2niPbp7LrmtN6tdWK0RXeqwcxVEJOwijK6XAgEC
-----END DH PARAMETERS-----";
tls_settings.set_security_level(0);
tls_settings.clear_options(pingora::tls::ssl::SslOptions::NO_TLSV1_1);
// we only put TLSv1 cipher here to test
tls_settings
.set_cipher_list("ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA")
.unwrap();
let dh = openssl::dh::Dh::params_from_pem(DH.as_bytes()).unwrap();
tls_settings.set_tmp_dh(&dh).unwrap();
tls_settings
.set_min_proto_version(Some(pingora::tls::ssl::SslVersion::TLS1_1))
.unwrap();
Thanks
Describe the bug
I use
set_min_proto_version
to set min proto version tls1.1. Then the log oftls_settings.min_proto_version()
isSslVersion(770)
.However, When I set
--tls-max 1.1
for curl, tls handshake fail.And the pingora debug log:
Pingora info
Please include the following information about your environment:
Pingora version: 31d7b63ed7e3a1595903bca3680e130fe90e05a0 Rust version: i.e. cargo 1.78.0 (54d8815d0 2024-03-26) Operating system version: messense/rust-musl-cross:x86_64-musl
Steps to reproduce
Please provide step-by-step instructions to reproduce the issue. Include any relevant code snippets.
Expected results
What were you expecting to happen?
Observed results
What actually happened?
Additional context
What other information would you like to provide? e.g. screenshots, how you're working around the issue, or other clues you think could be helpful to identify the root cause.