nginx allows TLS 1.1 connection even though configuration only permits TLSv1.2
January 30, 2024 05:10AM
I am testing my website using ssllabs and getting a **B ** grade because TLS 1.0 and TLS 1.1 are allowed. However, to the best of my understanding my nginx configuration should not allow TLS 1.0 and TLS 1.1.

In nginx.conf I have:
http {
ssl_protocols TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
}

Also, under /etc/nginx/sites-enabled/ I have a host specific conf file with the following configuration:
server {
listen 443 ssl;
listen [::]:443 ipv6only=on;
server_name www.mydomain.com;


ssl_certificate /etc/nginx/ssl/mycert.crt;
ssl_certificate_key /etc/nginx/ssl/my.key;

**ssl_protocols TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;**
}
OS: alpine
nginx version:

nginx/1.22.1
built with OpenSSL 3.0.5 5 Jul 2022 (running with OpenSSL 3.0.8 7 Feb 2023)
TLS SNI support enabled

This is running as docker container under aws-lightsail container service.

I also tried adding a default server configuration and tried listing explicit list of strong ciphers but both of these did not help.

I can connect to my website using openssl with TLSv1.1 (openssl s_client -connect www.mydomain.com:443 -tls1_1): I am getting a TLS 1.1 connection with cipher ECDHE-RSA-AES128-SHA which according to my understanding should not be allowed.

How can I block TLSv1.0 and TLSv1.1?
Re: nginx allows TLS 1.1 connection even though configuration only permits TLSv1.2
January 30, 2024 05:49AM
ssl_protocols TLSv1.2 TLSv1.3;
and all ssl_* settings should be part of your server {} blocks, not at http {} block level.

---
nginx for Windows http://nginx-win.ecsds.eu/
Re: nginx allows TLS 1.1 connection even though configuration only permits TLSv1.2
January 30, 2024 05:54AM
Thanks.
However, I've tried adding TLSv1.3 but it didn't help. Plus, as I mentioned in my question I have this setting also in the server section.
I tried putting it only in the server section and is also did not help.
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 93
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready