TLSv1 removed from nginx.conf but still works

September 19, 2018 520 views
Nginx Ubuntu 16.04

Hi,

I'm trying to disable TLSv1 from nginx and allow only strong ciphers. I've removed TLSv1 from sslprotocols and added the sslciphers line then restarted the nginx service and even restarted the server. However when I test this both using openssl s_client -connect infosecured.org:443 -tls1 and with ssllabs, I'm still seeing it enabled. Any reason why this would be happening?

Below is the http setting from nginx.conf.

http {

        ##
        # Basic Settings
        ##

        client_max_body_size 500M;
        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        # server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE. Dropping TLSv1.0
        ssl_prefer_server_ciphers on;
        ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        gzip on;
        gzip_disable "msie6";

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}
Be the first one to answer this question.