How to Disable TLSv1.0 and TLSv1.1 in Nginx
From the nginx documentation for ssl_protocols
directive:
The TLSv1.1 and TLSv1.2 parameters are supported starting from versions 1.1.13 and 1.0.12, so when the OpenSSL version 1.0.1 or higher is used on older nginx versions, these protocols work, but cannot be disabled.`
On newer versions this can be verified by using the openssl
commands as follows:
- Verify that TLS v1.2 is supported:
openssl s_client -tls1_2 -connect example.org:443 < /dev/null
- Verify that TLS v1.1 is not supported:
openssl s_client -tls1_1 -connect example.org:443 < /dev/null
- Verify that TLS v1.0 is not supported:
openssl s_client -tls1 -connect example.org:443 < /dev/null
If the nginx configuration includes only ssl_protocols TLSv1.2
directive then only TLSv1.2 is supported. If ssl_protocols TLSv1.1 and TLSv1.2
is configured, then only TLSv1.1 and TLSv1.2 are supported. Tested with openssl 1.0.1e
and nginx 1.6.2
.