Disabling TLS 1.0 on nginx web servers

TLS 1.0 is end of life on June 30, 2018. To disable TLS 1.0 on nginx webserver installations, edit the “ssl_protocols” directive in your nginx.conf, where the TLS server directives are listed and remove TLSv1. By restarting the nginx, after updating the ssl_protocols directive TLS 1.0 will be disabled.

Here are steps how to disable TLS 1.0 on a nginx server.  The default configuration looks like this :

nginx.conf

You will see a directive for “ssl_protocols”, which has TLS 1.0, TLS 1.1 and TLS 1.2 version-enabled. In some installations, you will not see the ssl_protocol directive. In that case, just add “ssl_protocols TLSv1.1 TLSv1.2” to the configuration file.

Edit it and change to:

This will specifically allow only TLS 1.1 and TLS 1.2. And, restart the nginx server. You are done.

You can also confirm this with nmap or ssl-scan utility to make sure TLS 1.0 is disabled.  [ https://www.cloudibee.com/ssl-cert-tools/ ]

Before Disabling:

You can see that the host serves TLS 1.0, TLS 1.1 and TLS 1.2.

After Disabling:

You can see that TLS 1.0 cipher is no longer served by the host.

Leave a Reply