Closed bnevis-i closed 3 years ago
Attaching BEFORE report. kong.before.zip
Closing as will-not-fix.
The default "intermediate" ssl_cipher_suite is pretty good.
According to the testssl.sh connection simulation and using the "modern" ssl_cipher_suite, the modern suite results in also disabling TLSv1.2 which will completely block IE 11 and Edge browsers (though all most all of the other modern browsers will work).
Leaving well-enough alone.
Reopening as use case is not browsers but API clients.
Rationale to keeping: this is a config change, if breaks users can go back to old config. Strong desire to have TLSv1.3 in LTS.
Add TLS documentation section to documentation.
After report attached.
🚀 Feature Request
Relevant Package
Kong
Description
CII Best Practices recommends use of strong TLS ciphers. We currently deploy Kong with the default cipher list.
Describe the solution you'd like
Suggest to do this via compose file or via service definition. KONG_NGINX_HTTP_SSL_PROTOCOLS etc
Also: update environment variable section in common config section of edgex docs.
Stretch goal for Jakarta.
Validation: testtls.sh or other tool.