Welcome! Log In Create A New Profile

Advanced

Can't disable TLS 1.0

November 16, 2018 10:56PM
I am setting up web servers for best practice TLS.

The issue is TLS 1.0 which is deprecated

I want to remove it from the available protocols and have done the usual

##
# SSL Settings
##

ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;

However the absence of TLSv1 in the list doesn't stop the server offering it.
I have checked carefully for prior syntax errors in the configuration and there are none.

The configuration is set in the main nginx.conf file and used by one or more enabled sites attached to specific IP addresses. The enabled sites do not change the ssl_protocols.

My environment:

nginx version: nginx/1.10.3
built with OpenSSL 1.1.0f 25 May 2017
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-tLEWFX/nginx-1.10.3=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module --add-dynamic-module=/build/nginx-tLEWFX/nginx-1.10.3/debian/modules/nginx-auth-pam --add-dynamic-module=/build/nginx-tLEWFX/nginx-1.10.3/debian/modules/nginx-dav-ext-module --add-dynamic-module=/build/nginx-tLEWFX/nginx-1.10.3/debian/modules/nginx-echo --add-dynamic-module=/build/nginx-tLEWFX/nginx-1.10.3/debian/modules/nginx-upstream-fair --add-dynamic-module=/build/nginx-tLEWFX/nginx-1.10.3/debian/modules/ngx_http_substitutions_filter_module

My config file - part

http {

##
# Basic Settings
##


sendfile on;
tcp_nopush on;
tcp_nodelay on;

# keepalive_timeout 65;

types_hash_max_size 2048;
server_tokens off;

server_names_hash_bucket_size 64;

# server_name_in_redirect off;

include /etc/nginx/mime.types;
default_type application/octet-stream;

error_log /var/log/nginx/error.log info;

##
# SSL Settings
##

ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;

# enable session resumption to improve https performance
# http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html

ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;

# Stapling

ssl_stapling on;
ssl_stapling_verify on;

# ssl ecdh curve

ssl_ecdh_curve secp384r1;

# DH Parameters

ssl_dhparam /etc/ssl/dhparams.pem;

# Header security

add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

....

}
Subject Author Posted

Can't disable TLS 1.0

Jeremy Ardley November 16, 2018 10:56PM

Re: Can't disable TLS 1.0

Rainer Duffner November 17, 2018 10:58AM

Re: Can't disable TLS 1.0

Jeremy Ardley November 17, 2018 09:31PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 73
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready