Question

TLSv1 removed from nginx.conf but still works

Posted September 19, 2018 982 views
NginxUbuntu 16.04

Hi,

I’m trying to disable TLSv1 from nginx and allow only strong ciphers. I’ve removed TLSv1 from sslprotocols and added the sslciphers line then restarted the nginx service and even restarted the server. However when I test this both using openssl s_client -connect infosecured.org:443 -tls1 and with ssllabs, I’m still seeing it enabled. Any reason why this would be happening?

Below is the http setting from nginx.conf.

http {

        ##
        # Basic Settings
        ##

        client_max_body_size 500M;
        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        # server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE. Dropping TLSv1.0
        ssl_prefer_server_ciphers on;
        ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        gzip on;
        gzip_disable "msie6";

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}
2 comments
  • Has anyone figured this out? I am having the same issue

  • I am having the same problem, based on my research it may have something to do with the https certificate provider, in my case, letsencrypt. While nginx may be correctly configured, letsencrypt is doing its own thing. The question is how do you make letsencrypt disable tls1.0?

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
3 answers

After a ton of searching, I came across this file that will take care of this, however LetsEncrypt recommends against modifying it. I did it anyway. I’d recommend taking a backup of it before any changes are made.

/etc/letsencrypt/options-ssl-nginx.conf

An answer to this would be really helpful. I am in the same boat. Everything I’ve done should result in TSLv1 being disabled but its not!

Had the same problem - edited the ssl_protocols stanza in /etc/nginx.conf & remote check using nmap still finds TLS 1.0 & 1.1 running.

Poked around & saw that /etc/nginx/snippets/ssl-params.conf also has a ssl_protocols stanza.

Also rm’d TLSv1.0 & TLSv1.1 from there & all good.

Submit an Answer