TLSv1 removed from nginx.conf but still works

Posted September 19, 2018 3k views
NginxUbuntu 16.04


I’m trying to disable TLSv1 from nginx and allow only strong ciphers. I’ve removed TLSv1 from sslprotocols and added the sslciphers line then restarted the nginx service and even restarted the server. However when I test this both using openssl s_client -connect -tls1 and with ssllabs, I’m still seeing it enabled. Any reason why this would be happening?

Below is the http setting from nginx.conf.

http {

        # Basic Settings

        client_max_body_size 500M;
        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        # server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        # SSL Settings

        ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE. Dropping TLSv1.0
        ssl_prefer_server_ciphers on;

        # Logging Settings

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        # Gzip Settings

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        # Gzip Settings

        gzip on;
        gzip_disable "msie6";

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        # Virtual Host Configs

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
  • Has anyone figured this out? I am having the same issue

  • I am having the same problem, based on my research it may have something to do with the https certificate provider, in my case, letsencrypt. While nginx may be correctly configured, letsencrypt is doing its own thing. The question is how do you make letsencrypt disable tls1.0?

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
4 answers

After a ton of searching, I came across this file that will take care of this, however LetsEncrypt recommends against modifying it. I did it anyway. I’d recommend taking a backup of it before any changes are made.


An answer to this would be really helpful. I am in the same boat. Everything I’ve done should result in TSLv1 being disabled but its not!

Had the same problem - edited the ssl_protocols stanza in /etc/nginx.conf & remote check using nmap still finds TLS 1.0 & 1.1 running.

Poked around & saw that /etc/nginx/snippets/ssl-params.conf also has a ssl_protocols stanza.

Also rm’d TLSv1.0 & TLSv1.1 from there & all good.