How to disable TLSv1 in Nginx?
Posted by sysadminthecat
|
How to disable TLSv1 in Nginx? August 09, 2017 03:25PM |
Registered: 6 years ago Posts: 1 |
I have this virtual host config in Nginx. TLSv1 is not configured in ssl_protocols but I'm still getting a response when doing curl or openssl s_client -tls1 -connect.
# OS and Nginx version
OS: Amazon Linux (4.9.32-15.41.amzn1.x86_64)
nginx version: nginx/1.10.2
built by gcc 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC)
built with OpenSSL 1.0.1k-fips 8 Jan 2015
TLS SNI support enabled
# Nginx main configuration
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.fedora.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
default_type application/octet-stream;
error_log /var/log/nginx/error.log;
gzip off;
gzip_disable "msie6";
index index.html;
index index.htm;
keepalive_timeout 65;
log_format main '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
resolver 1x.xx.xx.xx;
sendfile on;
server_names_hash_bucket_size 128;
tcp_nodelay on;
tcp_nopush on;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
# Vhost configuration
server {
listen 8443;
server_name tls-test.domain.com;
# Source: https://cipherli.st/
ssl on;
ssl_certificate /etc/pki/tls/certs/wildcard.domain.com.crt;
ssl_certificate_key /etc/pki/tls/private/wildcard.domain.com.key;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
location / {
proxy_pass https://some-server.domain.com;
proxy_set_header Host tls-test.domain.com;
proxy_set_header Connection "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
# Tests
## cURL
curl -vk https://tls-test.domain.com:8443 --tlsv1.0
* Rebuilt URL to: https://tls-test.domain.com:8443/
* Trying 5x.xx.xx.xx...
* TCP_NODELAY set
* Connected to tls-test.domain.com (5x.xx.xx.xx) port 8443 (#0)
* WARNING: disabling hostname validation also disables SNI.
* TLS 1.0 connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate: *.domain.com
* Server certificate: ISSUER RSA Domain Validation Secure Server CA
* Server certificate: ISSUER RSA Certification Authority
> GET / HTTP/1.1
> Host: tls-test.domain.com:8443
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx/1.10.2
< Date: Wed, 09 Aug 2017 18:53:37 GMT
< Content-Type: text/html
< Content-Length: 217
< Connection: keep-alive
< accept-ranges: bytes
< cache-control: no-cache
## OpenSSL
openssl s_client -tls1 -connect tls-test.domain.com:8443 < /dev/null
CONNECTED(00000003)
---TRIMMED---
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 6109 bytes and written 334 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES256-SHA
---TRIMMED---
---
DONE
Edited 1 time(s). Last edit at 08/09/2017 03:25PM by sysadminthecat.
# OS and Nginx version
OS: Amazon Linux (4.9.32-15.41.amzn1.x86_64)
nginx version: nginx/1.10.2
built by gcc 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC)
built with OpenSSL 1.0.1k-fips 8 Jan 2015
TLS SNI support enabled
# Nginx main configuration
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.fedora.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
default_type application/octet-stream;
error_log /var/log/nginx/error.log;
gzip off;
gzip_disable "msie6";
index index.html;
index index.htm;
keepalive_timeout 65;
log_format main '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
resolver 1x.xx.xx.xx;
sendfile on;
server_names_hash_bucket_size 128;
tcp_nodelay on;
tcp_nopush on;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
# Vhost configuration
server {
listen 8443;
server_name tls-test.domain.com;
# Source: https://cipherli.st/
ssl on;
ssl_certificate /etc/pki/tls/certs/wildcard.domain.com.crt;
ssl_certificate_key /etc/pki/tls/private/wildcard.domain.com.key;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
location / {
proxy_pass https://some-server.domain.com;
proxy_set_header Host tls-test.domain.com;
proxy_set_header Connection "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
# Tests
## cURL
curl -vk https://tls-test.domain.com:8443 --tlsv1.0
* Rebuilt URL to: https://tls-test.domain.com:8443/
* Trying 5x.xx.xx.xx...
* TCP_NODELAY set
* Connected to tls-test.domain.com (5x.xx.xx.xx) port 8443 (#0)
* WARNING: disabling hostname validation also disables SNI.
* TLS 1.0 connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate: *.domain.com
* Server certificate: ISSUER RSA Domain Validation Secure Server CA
* Server certificate: ISSUER RSA Certification Authority
> GET / HTTP/1.1
> Host: tls-test.domain.com:8443
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx/1.10.2
< Date: Wed, 09 Aug 2017 18:53:37 GMT
< Content-Type: text/html
< Content-Length: 217
< Connection: keep-alive
< accept-ranges: bytes
< cache-control: no-cache
## OpenSSL
openssl s_client -tls1 -connect tls-test.domain.com:8443 < /dev/null
CONNECTED(00000003)
---TRIMMED---
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 6109 bytes and written 334 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES256-SHA
---TRIMMED---
---
DONE
Edited 1 time(s). Last edit at 08/09/2017 03:25PM by sysadminthecat.
Sorry, only registered users may post in this forum.
Online Users
Guests:
200
Record Number of Users:
8
on April 13, 2023
Record Number of Guests:
421
on December 02, 2018
This forum is powered by Phorum.
 |
 |
 |
 |
|