I am testing my website using ssllabs and getting a **B ** grade because TLS 1.0 and TLS 1.1 are allowed. However, to the best of my understanding my nginx configuration should not allow TLS 1.0 and TLS 1.1.
In nginx.conf I have:
http {
ssl_protocols TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
}
Also, under /etc/nginx/sites-enabled/ I have a host specific conf file with the following configuration:
server {
listen 443 ssl;
listen [::]:443 ipv6only=on;
server_name www.mydomain.com;
ssl_certificate /etc/nginx/ssl/mycert.crt;
ssl_certificate_key /etc/nginx/ssl/my.key;
**ssl_protocols TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;**
}
OS: alpine
nginx version:
nginx/1.22.1
built with OpenSSL 3.0.5 5 Jul 2022 (running with OpenSSL 3.0.8 7 Feb 2023)
TLS SNI support enabled
This is running as docker container under aws-lightsail container service.
I also tried adding a default server configuration and tried listing explicit list of strong ciphers but both of these did not help.
I can connect to my website using openssl with TLSv1.1 (openssl s_client -connect www.mydomain.com:443 -tls1_1): I am getting a TLS 1.1 connection with cipher ECDHE-RSA-AES128-SHA which according to my understanding should not be allowed.
How can I block TLSv1.0 and TLSv1.1?