Disable TLS 1.0 and TLS 1.1 on Nginx server

Transport Layer Security (TLS)  – TLS protocol is used to provide privacy and data integrity between two communicating applications. SSL and TLS are both cryptographic protocols but because SSL protocols does not providers sufficient level of security compared to TLS, SSL 2.0 and SSL 3.0 have been deprecated. TLS 1.0 was released in 1999, TLS 1.1 was released in 2006, TLS 1.2 was released in 2008 and TLS 1.3 was released in 2018. Most of the companies and Internet Browsers are now moving to TLS 1.2 which is having better security algorithms than TLS 1.0 and TLS 1.1. TLS is more secure than SSL. Mozilla Firefox, Google Chrome, Apple and Microsoft are all ending support for TLS 1.0/1.1 in 2020, so its better to plan ahead of time and test all the applications and create Policies to disable TLS 1.0 and TLS 1.1 on Windows machines. If you are interested in learning more about these protocols, differences between these protocols and security improvements – you can check Protocols RFC’s (Request for Comments) at these links TLS1.0 RFCTLS 1.1 RFCTLS 1.2 RFC and TLS 1.3 RFC. Use the below methods if you want to disable TLS 1.0 and TLS 1.1 on Nginx Server.

By default when you install Nginx on ubuntu server, the default configuration provides TLS 1.0 and TLS 1.1 support and these protocols are enabled. However, as TLS 1.0 and TLS 1.1 protocols are deprecated, we should disable it using Nginx configuration file. Its recommended to take a backup of nginx.conf before making any change. I would be working with Nginx version 1.22.0 (nginx version: nginx/1.22.0).

Connect to your server and then run below command to open nginx.conf file. It may prompt you for administrator password.

sudo nano /etc/nginx/nginx.conf
sudo nano /etc/nginx/nginx.conf

After you open Nginx configuration file, search the https block where you will find SSL Protocols configuration including TLSv1, TLS1.1. It could be something like this line:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLS 1.3; # Dropping SSLv3, ref: POODLE

Remove TLSv1 and TLSv1.1 from the line, also as shown in the screenshot. This will only allow TLS1.2 and TLS1.3 protocols.

It should look like this:

ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE

Disable TLS 1.0 and TLS 1.1 protocols in Nginx configuration file

After you have made this change in nginx.conf file. We need to validate nginx file, reload and the restart nginx service using below commands.

sudo nginx -t
sudo service nginx reload
sudo service nginx restart OR sudo systemctl restart nginx 
Nginx Service Reload and Restart

Check the status of Nginx service to make sure the status is showing as Active (running). You can run below command to find the status of Nginx service.

systemctl status nginx
Nginx Service Status command

Once you have made the change in nginx.conf file. You can also check this file sudo nano /etc/nginx/sites-available/xyz.com (replace xyz.com with your domain name) and make sure TLS1.0 and TLS1.1 are not showing under ssl_protocols.

How to test if TLS 1.0 and TLS 1.1 are disabled on Nginx Server

There are several ways to test it, however I will be using an open source utility called OpenSSL. First you need to install OpenSSL on your system. For this you can use this link https://www.openssl.org/source/ or If you have Git installed on your system you can find openssl.exe file under C:\Program Files\Git\usr\bin. To download Git you can use below link: https://git-scm.com/downloads. I will be using openssl.exe file which is available under C:\Program Files\Git\usr\bin.

Install OpenSSL

Browse to the C:\Program Files\Git\usr\bin path using change directory command cd C:\Program Files\Git\usr\bin and then use below openssl commands to test TLS for the domain. I have run the tests on my site and got below results which shows that TLS1.0 and TLS1.1 are disabled and TLS1.2 and TLS1.3 are getting connected and enabled.

openssl s_client -connect cloudinfra.net:443 -tls1
openssl s_client -connect cloudinfra.net:443 -tls1_1
openssl s_client -connect cloudinfra.net:443 -tls1_2
openssl s_client -connect cloudinfra.net:443 -tls1_3

Testing TLS 1.0

Test TLS1.0 using OpenSSL

Testing TLS 1.1

Test TLS1.1 using OpenSSL

Testing TLS 1.2

Test TLS1.2 using OpenSSL

Testing TLS 1.3

Test TLS1.3 using OpenSSL

Conclusion

TLS1.0 and TLS1.1 protocols should be disabled on your server or your website to make it more secure. You can enable TLS 1.2 and TLS1.3 in nginx.conf file and then restart nginx service. If you want to disable TLS1.0 and TLS1.1 protocols on Windows 10 device then you can follow this article Disable TLS 1.0 and TLS 1.1 on Windows 10 machines through GPO.