How to disable TLS 1.0 and TLS 1.1 in Nginx

The TLS 1.0 protocol appeared in 1999, TLS 1.1 in 2006, and they will both be considered obsolete in 2020, and will also have to be removed from support in various browsers around March 2020, so you need to disable them. Similarly, SSL 2.0, SSL 3.0 protocols were previously outdated.

If you did not specify the protocol versions in the site configuration files, then they are specified by default in the /etc/nginx/nginx.conf file, for example:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Just remove them from there, for example:

ssl_protocols TLSv1.2;

Or we’ll indicate in the configuration of each site, for example:

server {
    ...
    listen 443 ssl default_server;
    ssl_protocols TLSv1.2;
    ...
}

Check the configuration and reload it:

sudo nginx -t
sudo service nginx reload

Connection verification example (make sure that the connection is not established with outdated protocols):

openssl s_client -connect ixnfo.com:443 -tls1
openssl s_client -connect ixnfo.com:443 -tls1_1
openssl s_client -connect ixnfo.com:443 -tls1_2
openssl s_client -connect ixnfo.com:443 -ssl3

You can also check through various sites, for example, https://www.ssllabs.com/ssltest/, there you can also see other safety recommendations.

See also my article:
Redirect HTTP to HTTPS in Nginx

Leave a comment

Leave a Reply