TLSv1 removed from nginx.conf but still works


I’m trying to disable TLSv1 from nginx and allow only strong ciphers. I’ve removed TLSv1 from ssl_protocols and added the ssl_ciphers line then restarted the nginx service and even restarted the server. However when I test this both using openssl s_client -connect -tls1 and with ssllabs, I’m still seeing it enabled. Any reason why this would be happening?

Below is the http setting from nginx.conf.

http {

        # Basic Settings

        client_max_body_size 500M;
        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        # server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        # SSL Settings

        ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE. Dropping TLSv1.0
        ssl_prefer_server_ciphers on;

        # Logging Settings

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        # Gzip Settings

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        # Gzip Settings

        gzip on;
        gzip_disable "msie6";

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        # Virtual Host Configs

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;

I am having the same problem, based on my research it may have something to do with the https certificate provider, in my case, letsencrypt. While nginx may be correctly configured, letsencrypt is doing its own thing. The question is how do you make letsencrypt disable tls1.0?

Has anyone figured this out? I am having the same issue

Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Had the same problem - edited the ssl_protocols stanza in /etc/nginx.conf & remote check using nmap still finds TLS 1.0 & 1.1 running.

Poked around & saw that /etc/nginx/snippets/ssl-params.conf also has a ssl_protocols stanza.

Also rm’d TLSv1.0 & TLSv1.1 from there & all good.

After a ton of searching, I came across this file that will take care of this, however LetsEncrypt recommends against modifying it. I did it anyway. I’d recommend taking a backup of it before any changes are made.


This comment has been deleted

An answer to this would be really helpful. I am in the same boat. Everything I’ve done should result in TSLv1 being disabled but its not!