Annotations: Drop SSLv2, SSLv3, TLSv1 & TLSv1.1 support.

docs/user-guide/tls.md

@@ -23,7 +23,7 @@ The resulting secret will be of type `kubernetes.io/tls`.
 
 ## Host names
 
-Ensure that the relevant [ingress rules specify a matching host name](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls).
+Ensure that the relevant [ingress rules specify a matching hostname](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls).
 
 ## Default SSL Certificate
 
@@ -145,7 +145,7 @@ metadata:
   name: nginx-config
 data:
   ssl-ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
-  ssl-protocols: "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3"
+  ssl-protocols: "TLSv1.2 TLSv1.3"
 ```
 
 

internal/ingress/annotations/proxyssl/main.go

@@ -32,15 +32,15 @@ import (
 
 const (
 	defaultProxySSLCiphers     = "DEFAULT"
-	defaultProxySSLProtocols   = "TLSv1 TLSv1.1 TLSv1.2"
+	defaultProxySSLProtocols   = "TLSv1.2"
 	defaultProxySSLVerify      = "off"
 	defaultProxySSLVerifyDepth = 1
 	defaultProxySSLServerName  = "off"
 )
 
 var (
 	proxySSLOnOffRegex    = regexp.MustCompile(`^(on|off)$`)
-	proxySSLProtocolRegex = regexp.MustCompile(`^(SSLv2|SSLv3|TLSv1|TLSv1\.1|TLSv1\.2|TLSv1\.3| )*$`)
+	proxySSLProtocolRegex = regexp.MustCompile(`^(TLSv1\.2|TLSv1\.3| )*$`)
 	proxySSLCiphersRegex  = regexp.MustCompile(`^[A-Za-z0-9\+:\_\-!]*$`)
 )
 

internal/ingress/annotations/proxyssl/main_test.go

@@ -32,7 +32,7 @@ const (
 	proxySslCiphers   = "HIGH:-SHA"
 	off               = "off"
 	sslServerName     = "w00t"
-	defaultProtocol   = "SSLv2 TLSv1 TLSv1.2 TLSv1.3"
+	defaultProtocol   = "TLSv1.2 TLSv1.3"
 )
 
 func buildIngress() *networking.Ingress {
@@ -103,7 +103,7 @@ func TestAnnotations(t *testing.T) {
 	data[parser.GetAnnotationWithPrefix(proxySSLSecretAnnotation)] = defaultDemoSecret
 	data[parser.GetAnnotationWithPrefix("proxy-ssl-ciphers")] = proxySslCiphers
 	data[parser.GetAnnotationWithPrefix("proxy-ssl-name")] = "$host"
-	data[parser.GetAnnotationWithPrefix("proxy-ssl-protocols")] = "TLSv1.3 SSLv2 TLSv1   TLSv1.2"
+	data[parser.GetAnnotationWithPrefix("proxy-ssl-protocols")] = "TLSv1.3 TLSv1.2"
 	data[parser.GetAnnotationWithPrefix("proxy-ssl-server-name")] = "on"
 	data[parser.GetAnnotationWithPrefix("proxy-ssl-session-reuse")] = off
 	data[parser.GetAnnotationWithPrefix("proxy-ssl-verify")] = "on"

internal/ingress/annotations/sslcipher/main.go

@@ -43,7 +43,7 @@ var sslCipherAnnotations = parser.Annotation{
 			Scope:     parser.AnnotationScopeIngress,
 			Risk:      parser.AnnotationRiskLow,
 			Documentation: `The following annotation will set the ssl_prefer_server_ciphers directive at the server level. 
-			This configuration specifies that server ciphers should be preferred over client ciphers when using the SSLv3 and TLS protocols.`,
+			This configuration specifies that server ciphers should be preferred over client ciphers when using the TLS protocols.`,
 		},
 		sslCipherAnnotation: {
 			Validator:     parser.ValidateRegex(regexValidSSLCipher, true),

pkg/apis/ingress/types.go

@@ -210,7 +210,7 @@ type Server struct {
 	// SSLCiphers returns list of ciphers to be enabled
 	SSLCiphers string `json:"sslCiphers,omitempty"`
 	// SSLPreferServerCiphers indicates that server ciphers should be preferred
-	// over client ciphers when using the SSLv3 and TLS protocols.
+	// over client ciphers when using the TLS protocols.
 	SSLPreferServerCiphers string `json:"sslPreferServerCiphers,omitempty"`
 	// AuthTLSError contains the reason why the access to a server should be denied
 	AuthTLSError string `json:"authTLSError,omitempty"`