How to enable TLS 1.2 in Nginx?

Solution 1:

First you need to activate SSL/TLS in your nginx.conf:

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name example.org;

    ssl_certificate /etc/ssl/example.org.crt;
    ssl_certificate_key /etc/ssl/private/example.org.key;

The two listen lines enable SSL at your IPv4 and IPv6 connection. If you have no IPv6 you might leave out the second listen line.

I assume that your server certificate is in /etc/ssl. If you use another path, you'd change the last two lines.

ssl_protocols TLSv1.2 TLSv1.1 TLSv1;

This enables different TLS versions. All current browsers are able to use TLS1.2. For older browsers I wrote a small howto enable secure settings.

ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA;
ssl_prefer_server_ciphers on;

The first line sets the ciphers which your nignx should use. The second line prefers the cipher suites on the server (and not the client) side. So you can use strong(er) ciphers.

If you're done, your nginx should use TLS1.2. If you'd like, you can add your site to a TLS1.2 hall of fame and be proud. ;)

However there are several methods to improve the settings. I follow this german guide for secure nginx configuration.

Solution 2:

There are numerous security advisories that have been addressed in subsequent versions of nginx. If you're still (6 months stale post?) in this situation, seriously consider upgrading; TLS settings won't matter if the web server itself is insecure. See http://nginx.org/en/security_advisories.html for details.

If, for some reason you MUST run this version of nginx, the information available on enabling strong cipher suites with nginx (or Apache) here will probably help: https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy