7

I'm trying to figure out how to disable TLSv1 and 1.1 Nginx and ONLY allow connections on 1.2. This is for testing reasons more than in production use and for the life of me cannot figure out why Nginx won't let me do this.

Nginx SSL config:

ssl on;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM256:DH+AESGCM256:ECDH+AES256:!aNULL:!MD5:!kEDH;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
add_header Strict-Transport-Security "max-age=262974383; includeSubdomains;";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;

But for some reason Nginx still negotiates 1.0 and 1.1 connections. Am I doing something wrong? I'm using Nginx 1.7.10 on Ubuntu Server 14.04LTS with OpenSSL 1.0.1f.

Lost
  • 71
  • 1
  • 1
  • 2
  • protocols are disabled, unless you enable by specifying inside of `ssl_protocols`, such as `ssl_protocols TLSv1.2;`. – alexus Feb 27 '15 at 21:06
  • I would double check the config; I got hit by a missing semicolon on a `gzip_disable` line. Because it's an open-ended configuration setting, no errors were thrown at all, but my next line was ignored. This was, of course, `ssl_protocols TLSv1.2;` – miken32 Oct 07 '16 at 22:29
  • I had the same problem and did a grep: `grep -ir "ssl_protocols" /etc/nginx` but I couldn't find other ssl_protocols set. Then I realized later that letsencrypt defined this outside of `/etc/nginx`: `/etc/letsencrypt/options-ssl-nginx.conf` - after changing the protocols there I didn't have any problems anymore. – ChristophLSA Apr 15 '20 at 08:51
  • For me, my main `ssl_protocols` setting was being overridden by one in `/etc/nginx/snippets/ssl-params.conf` – Ted Apr 23 '20 at 08:56

2 Answers2

4

From the nginx documentation for ssl_protocols directive:

The TLSv1.1 and TLSv1.2 parameters are supported starting from versions 1.1.13 and 1.0.12, so when the OpenSSL version 1.0.1 or higher is used on older nginx versions, these protocols work, but cannot be disabled.`

On newer versions this can be verified by using the openssl commands as follows:

  • Verify that TLS v1.2 is supported: openssl s_client -tls1_2 -connect example.org:443 < /dev/null
  • Verify that TLS v1.1 is not supported: openssl s_client -tls1_1 -connect example.org:443 < /dev/null
  • Verify that TLS v1.0 is not supported: openssl s_client -tls1 -connect example.org:443 < /dev/null

If the nginx configuration includes only ssl_protocols TLSv1.2 directive then only TLSv1.2 is supported. If ssl_protocols TLSv1.1 and TLSv1.2 is configured, then only TLSv1.1 and TLSv1.2 are supported. Tested with openssl 1.0.1e and nginx 1.6.2.

thevilledev
  • 400
  • 1
  • 5
  • But I'm using 1.7.10 Nginx, this shouldn't be a problem. – Lost Feb 27 '15 at 20:16
  • 1
    if you're down-voting answer, at very least use comment section to explain why! – alexus Feb 27 '15 at 21:07
  • 1
    Unfortunately, either something is wrong or misconfigured. Only TLSv1.2 is enabled in the SSL_protocols directive but Nginx still responds to requests under 1.0 and 1.1 – Lost Feb 27 '15 at 23:14
  • @alexus I suspect that people are downvoting because the text you quoted refer to obsolete versions of Nginx that aren't used anymore, and the OP specified what version is in place. – gparent Mar 03 '15 at 17:50
  • @gparent let's not speculate, whoever downvote should answer that not somebody else, but regardless this is exactly why vtorhonen provided extended answer that covers _ALL_ versions. – alexus Mar 03 '15 at 17:54
  • I'm speculating about others precisely because I can only speak for myself. – gparent Mar 03 '15 at 17:59
0

Wow this is an old issue... but I ran into the same issue as the author of this question where the Qualsys SSL Test reported that TLSv1 and TLSv1.1 were on despite explicitly turning it off.

It turned out that by cleaning up my cipher list that I was able to get things working correctly (according to the Qualsys SSL Test). Here's a link to my Q&A with the solution in case anyone else gets here in the future.

darrin
  • 151
  • 4