How to Disable TLSv1.0 and TLSv1.1 in Nginx

nginx ssl configuration tls

From the nginx documentation for ssl_protocols directive:

The TLSv1.1 and TLSv1.2 parameters are supported starting from versions 1.1.13 and 1.0.12, so when the OpenSSL version 1.0.1 or higher is used on older nginx versions, these protocols work, but cannot be disabled.`

On newer versions this can be verified by using the openssl commands as follows:

  • Verify that TLS v1.2 is supported: openssl s_client -tls1_2 -connect example.org:443 < /dev/null
  • Verify that TLS v1.1 is not supported: openssl s_client -tls1_1 -connect example.org:443 < /dev/null
  • Verify that TLS v1.0 is not supported: openssl s_client -tls1 -connect example.org:443 < /dev/null

If the nginx configuration includes only ssl_protocols TLSv1.2 directive then only TLSv1.2 is supported. If ssl_protocols TLSv1.1 and TLSv1.2 is configured, then only TLSv1.1 and TLSv1.2 are supported. Tested with openssl 1.0.1e and nginx 1.6.2.

Related

start nginx despite missing upstream
Set default TTL in Varnish 4.0?
Copying over SSH via Putty tools is slower than via WinSCP
Apache shuts down unintentionally
Keeping Google Cloud Storage buckets backed up
Salt: Minion did not return but salt-call is working
HAProxy has no server available
On Linux, what is the size of pages reported by vmstat command and/or /proc/vmstat?
iSCSI target stuck reconnecting after server reboots
CentOS 7.2.1511, kickstart and user creation
How can I use POSIX ACLs on an NFSv4 mount in Linux?
How to prevent docker containers auto-start at daemon start in Windows? [closed]