Unable to disable TLSv1.0 and TLSv1.1 on nginx

linux nginx ssl

After many iterations and experimentation what I found was that somehow the cipher list I'd specified appears to relate to this problem. Once I got this list right TLSv1 and TLSv1.1 are in fact correctly disabled (again according to the Qualsys SSL Labs Test and we do once again show an A+ grade for our sites. Here are the settings that got us there:

ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

One resource I found during this experimentation that seems worth keeping around is the Mozilla SSL Configuration Generator. This allowed me to confirm the sanity of my server configuration and get a larger list of supported secure ciphers.

--

Nowhere else that I ran into mentioned this - so maybe it was something about a slightly older version of nginx I was using? Whatever the case - I hope this helps someone save a bunch of time.

Related

No space left on device
Apache Centos 6.5 Only Loading First Virtual Host
permission denied on authorized_keys
Configuring Secondary DNS to Work if Primary is down (Bind)
Pass the PID from tasklist into taskkill to kill a process by the .dlls it's holding open
PostgreSQL - Could not extend file No space left on device. HINT: Check free disk space
Public IPs on MPLS Traceroute
How to share print drivers from a 64 bit Windows server to 32 bit client machines
HP DL380 G7 Will Not Power On
Fail2ban does not ban any ip-adresses with vsftpd
WSGI vs uWSGi with Nginx [closed]
Why is the Fibonacci series used in agile planning poker? [closed]