Hi,
I’m trying to disable TLSv1 from nginx and allow only strong ciphers. I’ve removed TLSv1 from ssl_protocols and added the ssl_ciphers line then restarted the nginx service and even restarted the server. However when I test this both using openssl s_client -connect infosecured.org:443 -tls1 and with ssllabs, I’m still seeing it enabled. Any reason why this would be happening?
Below is the http setting from nginx.conf.
http {
##
# Basic Settings
##
client_max_body_size 500M;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE. Dropping TLSv1.0
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
After a ton of searching, I came across this file that will take care of this, however LetsEncrypt recommends against modifying it. I did it anyway. I’d recommend taking a backup of it before any changes are made.
/etc/letsencrypt/options-ssl-nginx.conf
Had the same problem - edited the ssl_protocols stanza in /etc/nginx.conf & remote check using nmap still finds TLS 1.0 & 1.1 running.
Poked around & saw that /etc/nginx/snippets/ssl-params.conf also has a ssl_protocols stanza.
Also rm’d TLSv1.0 & TLSv1.1 from there & all good.
An answer to this would be really helpful. I am in the same boat. Everything I’ve done should result in TSLv1 being disabled but its not!
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and AI-native businesses
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.