I am struggling to find a way to configure Kong in a docker container to support the legacy TLS versions (TLSv1.1 specifically). TLSv1.2 is not supported by a legacy device which needs to connect to my services hosted behind the Kong Gateway.
I can see that looking in the nginx-kong.conf file that only TLSv1.2 and TLSv1.3 are set under the ssl_protocols element (part of the injected nginx_http_* directives block)
I have tried to set an environment variable according to the docs, KONG_NGINX_HTTP_SSL_PROTOCOLS which should change the ssl_protocols in this location except it created a new ssl_protocols entry under the server block.
I have tested my configuration using an online SSL checker and it reports that only TLSv1.2 and TLSv1.3 is enabled.
I ended up adding all of the below before it worked.
KONG_NGINX_HTTP_SSL_PROTOCOLS: “TLSv1 TLSv1.1 TLSv1.2 TLSv1.3”
KONG_NGINX_PROXY_SSL_PROTOCOLS: “TLSv1 TLSv1.1 TLSv1.2 TLSv1.3”
KONG_NGINX_SSL_PROTOCOLS: “TLSv1 TLSv1.1 TLSv1.2 TLSv1.3”
KONG_SSL: “on”
KONG_SSL_CIPHER_SUITE: old
KONG_SSL_PROTOCOLS: “TLSv1 TLSv1.1 TLSv1.2 TLSv1.3”
My client device appears to be using TLS1.1 but it only started to work once I enabled TLSv1.
I am not particularly happy about enabling the legacy TLS versions but without a firmware upgrade on the devices I have to put up with it.
These are all server level options, can you restrict the TLS level for different services exposed by Kong? I have multiple services but only one of them requires the legacy TLS versions.