How to Disable TLSv1.0 and TLSv1.1 in Nginx

From the nginx documentation for ssl_protocols directive:

The TLSv1.1 and TLSv1.2 parameters are supported starting from versions 1.1.13 and 1.0.12, so when the OpenSSL version 1.0.1 or higher is used on older nginx versions, these protocols work, but cannot be disabled.`

On newer versions this can be verified by using the openssl commands as follows:

  • Verify that TLS v1.2 is supported: openssl s_client -tls1_2 -connect example.org:443 < /dev/null
  • Verify that TLS v1.1 is not supported: openssl s_client -tls1_1 -connect example.org:443 < /dev/null
  • Verify that TLS v1.0 is not supported: openssl s_client -tls1 -connect example.org:443 < /dev/null

If the nginx configuration includes only ssl_protocols TLSv1.2 directive then only TLSv1.2 is supported. If ssl_protocols TLSv1.1 and TLSv1.2 is configured, then only TLSv1.1 and TLSv1.2 are supported. Tested with openssl 1.0.1e and nginx 1.6.2.