Skip to content

Commit

Permalink
chore(ssl) requiring upgrade to more secure TLS/1.2
Browse files Browse the repository at this point in the history
  • Loading branch information
subnetmarco committed Feb 22, 2017
1 parent 974cc13 commit 392843f
Show file tree
Hide file tree
Showing 4 changed files with 6 additions and 3 deletions.
3 changes: 3 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,9 @@ perform significantly better than any previous version.
been added to Kong core, and are configurable via new properties on the API
entity. See the related PR for a detailed explanation of this change.
[#1970](https://github.com/Mashape/kong/pull/1970)
- :warning: Dropping support for unsecure `TLS/1.0` and defaulting `Upgrade`
responses to `TLS/1.2`.
[#2119](https://github.com/Mashape/kong/pull/2119)
- Bump the compatible OpenResty version to `1.11.2.1` and `1.11.2.2`. Support
for OpenResty `1.11.2.2` requires the `--without-luajit-lua52` compilation
flag.
Expand Down
2 changes: 1 addition & 1 deletion kong/core/handler.lua
Original file line number Diff line number Diff line change
Expand Up @@ -86,7 +86,7 @@ return {

if api.https_only and not utils.check_https(api.http_if_terminated) then
ngx.header["connection"] = "Upgrade"
ngx.header["upgrade"] = "TLS/1.0, HTTP/1.1"
ngx.header["upgrade"] = "TLS/1.2, HTTP/1.1"

return responses.send(426, "Please use HTTPS protocol")
end
Expand Down
2 changes: 1 addition & 1 deletion kong/templates/nginx_kong.lua
Original file line number Diff line number Diff line change
Expand Up @@ -86,7 +86,7 @@ server {
listen ${{PROXY_LISTEN_SSL}} ssl;
ssl_certificate ${{SSL_CERT}};
ssl_certificate_key ${{SSL_CERT_KEY}};
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_certificate_by_lua_block {
kong.ssl_certificate()
}
Expand Down
2 changes: 1 addition & 1 deletion spec/02-integration/05-proxy/04-ssl_spec.lua
Original file line number Diff line number Diff line change
Expand Up @@ -105,7 +105,7 @@ describe("SSL", function()
local body = assert.res_status(426, res)
assert.equal([[{"message":"Please use HTTPS protocol"}]], body)
assert.contains("Upgrade", res.headers.connection)
assert.equal("TLS/1.0, HTTP/1.1", res.headers.upgrade)
assert.equal("TLS/1.2, HTTP/1.1", res.headers.upgrade)
end)

it("blocks request with HTTPS in x-forwarded-proto but no http_if_already_terminated", function()
Expand Down

0 comments on commit 392843f

Please sign in to comment.