Small TLS settings modernization

icon Tomasz Torcz Comments

Some time has passed since I've tightened TLS settings on my home server. Let's move it a notch higher, this time including home k3s cluster.

Use ECC certificates

In 2026, using elliptic curves cryptography certificates should be the norm. Fortunately, automatically obtaining them is easy. I'm using cert-manager for kubernetes ingresses. Switching to ECC is a just a matter of adding an algorithm annotation on Ingress:

annotations:
  cert-manager.io/cluster-issuer: "zerossl-production"
  cert-manager.io/private-key-algorithm: "ECDSA"

and removing the secret containing old cert and key.

Small caveat: FreeIPA still lags. While it supports ACME protocol, ECC through it is not possible, yet. I've left my internal domains with RSA certificates.

For the main server, I refresh certificates using small Ruby script. I had the change RSA.new(3072) to an EC key generation, rest happened automatically:

certificate_private_key = OpenSSL::PKey::EC.generate('prime256v1')
csr = Acme::Client::CertificateRequest.new(private_key: certificate_private_key, names: PIPEBREAKER_DOMAINS)

Use TLSv1.3 only

Last time I've limited support of Transport Layer Security to versions 1.2 and 1.3. Today, let's allow the latest only. I don't care about supporting Windows 7-era clients (years out of support).

Ingress on k3s is handled by Traefik. Simplest way to influence its config is by creating a global (named default) TLS configuration option:

apiVersion: traefik.io/v1alpha1
kind: TLSOption
metadata:
  name: default
  namespace: kube-system
spec:
  minVersion: VersionTLS13

That's all!

Change to nginx configuration on the main server is minimal, too. Version 1.2 is removed from the list, leaving only 1.3:

ssl_protocols TLSv1.3;

I have to tune Postfix and few other services TLS settings later.

065/100 of #100DaysToOffload

Comments

Comments powered by Disqus