3

I was having a devil of a time disabling TLSv1 and TLSv1.1 on my nginx server despite following one of the many guides you'll find with a quick google search.

Specifically, the recommendation was done by changing this line in your nginx configuration file:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

To something like this:

ssl_protocols TLSv1.2;

Despite changing the config to support only TLSv1.2 my nginx server appears to keep TLSv1 and TLSv1.1 enabled as evidenced by doing the Qualsys SSL Labs Test thereby limiting our overall score to a "B". Seemingly such an easy fix - super frustrating.

darrin
  • 151
  • 4

2 Answers2

2

After many iterations and experimentation what I found was that somehow the cipher list I'd specified appears to relate to this problem. Once I got this list right TLSv1 and TLSv1.1 are in fact correctly disabled (again according to the Qualsys SSL Labs Test and we do once again show an A+ grade for our sites. Here are the settings that got us there:

ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

One resource I found during this experimentation that seems worth keeping around is the Mozilla SSL Configuration Generator. This allowed me to confirm the sanity of my server configuration and get a larger list of supported secure ciphers.

--

Nowhere else that I ran into mentioned this - so maybe it was something about a slightly older version of nginx I was using? Whatever the case - I hope this helps someone save a bunch of time.

darrin
  • 151
  • 4
0

I ran into the same problem and banged my head against it for hours. In the end it turned out that the issue was not the configuration of my domain but for a different one being served from the same IP.

TLS by its nature allows many domains to be server over the same IP address and if one of the others is insisting on using older versions of TLS or SSL then the server may offer these up first, resulting in the browser rejection.

The solution was to make sure ALL servers on the IP were configured with:

ssl_protocols TLSv1.2 TLSv1.3;

in their nginx configuration.

James Webster
  • 1