Can't disable TLS 1.0

Jeremy Ardley nginx-forum at forum.nginx.org
Sat Nov 17 03:56:30 UTC 2018 

I am setting up web servers for best practice TLS.

The issue is TLS 1.0 which is deprecated

I want to remove it from the available protocols and have done the usual

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

However the absence of TLSv1 in the list doesn't stop the server offering
it.
I have checked carefully for prior syntax errors in the configuration and
there are none.

The configuration is set in the main nginx.conf file and used by one or more
enabled sites attached to specific IP addresses. The enabled sites do not
change the ssl_protocols.

My environment:

nginx version: nginx/1.10.3
built with OpenSSL 1.1.0f  25 May 2017
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2
-fdebug-prefix-map=/build/nginx-tLEWFX/nginx-1.10.3=.
-fstack-protector-strong -Wformat -Werror=format-security -Wdate-time
-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now'
--prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf
--http-log-path=/var/log/nginx/access.log
--error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock
--pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules
--http-client-body-temp-path=/var/lib/nginx/body
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi
--http-proxy-temp-path=/var/lib/nginx/proxy
--http-scgi-temp-path=/var/lib/nginx/scgi
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit
--with-ipv6 --with-http_ssl_module --with-http_stub_status_module
--with-http_realip_module --with-http_auth_request_module
--with-http_v2_module --with-http_dav_module --with-http_slice_module
--with-threads --with-http_addition_module --with-http_geoip_module=dynamic
--with-http_gunzip_module --with-http_gzip_static_module
--with-http_image_filter_module=dynamic --with-http_sub_module
--with-http_xslt_module=dynamic --with-stream=dynamic
--with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module
--add-dynamic-module=/build/nginx-tLEWFX/nginx-1.10.3/debian/modules/nginx-auth-pam
--add-dynamic-module=/build/nginx-tLEWFX/nginx-1.10.3/debian/modules/nginx-dav-ext-module
--add-dynamic-module=/build/nginx-tLEWFX/nginx-1.10.3/debian/modules/nginx-echo
--add-dynamic-module=/build/nginx-tLEWFX/nginx-1.10.3/debian/modules/nginx-upstream-fair
--add-dynamic-module=/build/nginx-tLEWFX/nginx-1.10.3/debian/modules/ngx_http_substitutions_filter_module

My config file - part

http {

	##
	# Basic Settings
	##


	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;

	# keepalive_timeout 65;

	types_hash_max_size 2048;
	server_tokens off;

	server_names_hash_bucket_size 64;

	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

        error_log /var/log/nginx/error.log info;

	##
	# SSL Settings
	##

	ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
	ssl_prefer_server_ciphers on;

        # enable session resumption to improve https performance
        #
http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html

        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 5m;

        # Stapling

        ssl_stapling on;
        ssl_stapling_verify on;

        # ssl ecdh curve

        ssl_ecdh_curve secp384r1;

	# DH Parameters

	ssl_dhparam /etc/ssl/dhparams.pem;

        # Header security

        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;

....

}

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,282020,282020#msg-282020

More information about the nginx mailing list