How to activate TLSv1.3 with kong?

Hello!

On my company we need to use TLSv1.3 with kong, we were using the 0.12.1 version of kong which dosn’t support the TLSv1.3 protocol itself, so we updated to 0.14.1 that looks like it supports it. Also if we manage to make it work, we will look to keep upgrading to latest versions.

We using docker to make it work also with konga. This is our full docker-compose.yml file

 version: "2.1"

services:

  ########
  # datebase used by kong
  ########
  kong-database-admon:
    container_name: kong-database-admon
    image: postgres:10.7
    restart: always
    ports:
      - "5432:5432"
    environment:
      POSTGRES_USER: kong
      POSTGRES_PASSWORD: kong
      POSTGRES_DB: kong
    volumes:
      - "kong-data:/var/lib/postgresql/data"
    healthcheck:
      test: ["CMD-SHELL", "pg_isready"]
      interval: 10s
      timeout: 5s
      retries: 5
    networks:
      admon-network:
        aliases:
          - kong-database

  ########
  # kong: datebase migration
  ########
  kong-migration-admon:
    #image: kong:1.4.0
    image: kong:0.14.1
    restart: on-failure
    container_name: kong-migration-admon
    depends_on:
      kong-database-admon:
        condition: service_healthy
    environment:
      KONG_DATABASE: postgres
      KONG_PG_HOST: kong-database
      KONG_PG_PORT: 5432
      KONG_PG_DATABASE: kong
      KONG_PG_PASSWORD: kong
      KONG_PG_USER: kong
    #command: sh -c "kong migrations bootstrap && kong migrations up && kong migrations finish"
    command: kong migrations up
    networks:
      admon-network:
        aliases:
          - kong-migration

  ########
  # kong: the api gateway
  ########        
  kong-admon:
    container_name: kong-admon
   # image: kong:1.4.0
    image: kong:0.14.1
   # restart: on-failure
    depends_on:
      kong-database-admon:
        condition: service_healthy
    environment:
      KONG_DATABASE: postgres
      KONG_PG_HOST: kong-database
      KONG_PG_PORT: 5432
      KONG_PG_PASSWORD: kong
      KONG_PG_DATABASE: kong
      KONG_PG_USER: kong
      KONG_LOG_LEVEL: debug                      
      KONG_PROXY_ACCESS_LOG: /dev/stdout
      KONG_ADMIN_ACCESS_LOG: /dev/stdout
      KONG_PROXY_ERROR_LOG: /dev/stderr
      KONG_ADMIN_ERROR_LOG: /dev/stderr
      KONG_ADMIN_LISTEN: 0.0.0.0:8001, 0.0.0.0:8444 http2 ssl
      KONG_PROXY_LISTEN: 0.0.0.0:8000, 0.0.0.0:8443 http2 ssl
      KONG_SSL_PROTOCOLS: TLSv1.3
      KONG_SSL_CIPHER_SUITE : modern
      KONG_SSL_CIPHERS: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    volumes:
      - "kong-data:/usr/local/kong"
      - ${HOME}/git/admon/deployment/nginx/config/pfs-certificates:/usr/local/kong/ssl
      - ${HOME}/git/admon/deployment/nginx/config/kong-configuration:/etc/kong
    ports:
      - "8000:8000"
      - "8443:8443"
      - "8001:8001"
      - "8444:8444"
    healthcheck:
      test: ["CMD-SHELL", "curl -I -s -L http://kong:8443 || exit 1"]
      interval: 5s
      retries: 10
    networks:
      admon-network:
        aliases:
          - kong

  ########
  # konga interface
  ########  
  konga-admon:
    container_name: konga-admon
    image: pantsel/konga:0.12.0
    restart: always
    depends_on:
      kong-admon:
        condition: service_healthy
    ports:
      - "1337:1337"
    environment:
      NODE_ENV: development
      DB_ADAPTER: postgres
      DB_HOST: kong-database
      DB_PORT: 5432
      DB_USER: kong
      DB_PASSWORD: kong
      DB_DATABASE: kong
      KONG_ADMIN_URL: 'http://kong:8444'
      NO_AUTH: 'false'
      KONGA_HOOK_TIMEOUT: 600000
    healthcheck:
      test: ["CMD-SHELL", "curl -I -s -L http://localhost:1337 || exit 1"]
      interval: 10s
      retries: 10
    volumes:
      - "kong-data:/app/konga"
    networks:
      admon-network:
        aliases:
          - konga

volumes:
  kong-data:
    name: admon-kong-development

networks:
  admon-network:
    name: admon-network
    ipam:
      driver: default
      config:
      - subnet: 172.22.4.0/24
        gateway: 172.22.4.1

And our kong.conf is like the following:

ssl = on                        # Determines if Nginx should be listening for
                                 # HTTPS traffic on the `proxy_listen_ssl`
ssl_protocols = TLSv1.3

ssl_cipher_suite = custom       # Defines the TLS ciphers served by Nginx.
                                 # Accepted values are `modern`, `intermediate`,
                                 # `old`, or `custom`.
# Note: See https://wiki.mozilla.org/Security/Server_Side_TLS for detailed
# descriptions of each cipher suite.

ssl_ciphers = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

ssl_cert = /usr/local/kong/ssl/wildCard_PFS.crt                      # If `ssl` is enabled, the absolute path to
                                 # the SSL certificate for the
                                 # `proxy_listen_ssl` address.

ssl_cert_key = /usr/local/kong/ssl/wildCard_PFS.key                  # If `ssl` is enabled, the absolute path to
                                 # the SSL key for the `proxy_listen_ssl`
                                 # address.

http2 = on                     # Enables HTTP2 support for HTTPS traffic on
                                 # the `proxy_listen_ssl` address.

client_ssl = on                # Determines if Nginx should send client-side
                                 # SSL certificates when proxying requests.

client_ssl_cert = /usr/local/kong/ssl/wildCard_PFS.crt              # If `client_ssl` is enabled, the absolute path
                                 # to the client SSL certificate for the
                                 # `proxy_ssl_certificate` directive. Note that
                                 # this value is statically defined on the node,
                                 # and currently cannot be configured on a
                                 # per-API basis.

client_ssl_cert_key = /usr/local/kong/ssl/wildCard_PFS.key          # If `client_ssl` is enabled, the absolute path
                                 # to the client SSL key for the
                                 # `proxy_ssl_certificate_key` address. Note
                                 # this value is statically defined on the node,
                                 # and currently cannot be configured on a
                                 # per-API basis.

admin_ssl = on                  # Determines if Nginx should be listening for
                                 # HTTPS traffic on the `admin_listen_ssl`
                                 # address. If disabled, Nginx will only bind
                                 # itself on `admin_listen`, and all SSL
                                 # settings will be ignored.

admin_ssl_cert = /usr/local/kong/ssl/wildCard_PFS.crt                # If `admin_ssl` is enabled, the absolute path
                                 # to the SSL certificate for the
                                 # `admin_listen_ssl` address.

admin_ssl_cert_key = /usr/local/kong/ssl/wildCard_PFS.key            # If `admin_ssl` is enabled, the absolute path
                                 # to the SSL key for the `admin_listen_ssl`
                                 # address.

admin_http2 = on               # Enables HTTP2 support for HTTPS traffic on
                                 # the `admin_listen_ssl` address.


client_max_body_size = 0         # Defines the maximum request body size allowed
                                 # by requests proxied by Kong, specified in the
                                 # Content-Length request header. If a request
                                 # exceeds this limit, Kong will respond with a
                                 # 413 (Request Entity Too Large). Setting this
                                 # value to 0 disables checking the request body
                                 # size.
# Note: See
# http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size
# for further description of this parameter. Numeric values may be suffixed with
# 'k' or 'm' to denote limits in terms of kilobytes or megabytes.

client_body_buffer_size = 10m    # Defines the buffer size for reading the
                                 # request body. If the client request body is

We have the SSL certificates and we arent able to make it work. Also the command we using to test the TLS v1.3 connection is the following:

curl -I -v --tlsv1.3 --tls-max 1.3 https://192.168.70.20:8443/alpha/people

What are we doing wrong?