How to disable TLS 1.0 and TLS 1.1?

Recently during a security scan, I discovered that our application is supporting TLS 1.0 and TLS 1.1. The application is deployed in Kubernetes and uses Traefik as Ingress Controller.

After Running an analysis of the TLS handshake using SSLLabs. The SSLLabs service provides a detailed report of various aspects of TLS, along with a color-coded report.

The above report shows that the application supports TLS 1.0 and 1.1 protocols without forward secrecy key exchange algorithms.

An IngressRoute has been associated with the application TLS options by using the tls.options.name configuration parameter. The below configuration defines a TLSOption resource with specific TLS and applies it to the IngressRoute.

Make sure you create the TLS Options in the same application namespace

apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
  name: tlsoptions
  namespace: <namespace>
spec:
  minVersion: VersionTLS12
  cipherSuites:
    - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
    - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
    - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
    - TLS_AES_256_GCM_SHA384
    - TLS_AES_128_GCM_SHA256
    - TLS_CHACHA20_POLY1305_SHA256
    - TLS_FALLBACK_SCSV
  curvePreferences:
    - CurveP521
    - CurveP384
  sniStrict: false

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: <app name>
  namespace: <namespace>
spec:
  entryPoints:
    - websecure
  routes:
  - kind: Rule
    match: Host(`<app host name>`)
    services:
    - name: <app name>
      port: 80
  tls:
    options:
      name: tlsoptions
      namespace: <namespace>

Deploy the updated configuration and then re-run the scan in SSLLabs and generate the report. The new report shows the change in supported protocols and key exchange algorithms.