random_username's picture

I updated my /etc/nginx/nginx.conf to this:
ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE


Then did a "systemctl restart nginx", but TLS1.0 & TLS1.1 are still active on the server. There are no mentions of TLS in my "/etc/nginx/sites-available/website.conf", so I'm confused where else these settings could be tucked away at.


Any ideas?

Jeremy Davis's picture

Firstly, apologies on my slow response. I've been away.

It sounds like you've done everything that should be required, so I'm not sure why that isn't working? As is likely obvious, the line you've edited is explicitly pre-configured by us. FWIW the next major release (v17.0) will only have TLS1.2 & TLS1.3 enabled by default.

Just to be 100% sure that it isn't being configured somewhere else, please run this command:

grep -R ssl_protocols /etc/nginx

It should only return the line that you have already edited (you can remove the # and everything after it if you wish as it's just a comment).

Please let me know if you don't find anything and it continues to use TLS1 & TLS1.1 and I'll launch one and test it tout myself.

random_username's picture

Hey, no worries! I appreciate your help!

Here is the output you requested.

/etc/nginx/nginx.conf:  ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
/etc/nginx/include/ssl:ssl_protocols TLSv1.2 TLSv1.3;

random_username's picture

My apologize, I posted the wrong servers output. Here's the one I've been modifying.


/etc/nginx/include/ssl:ssl_protocols TLSv1.2 TLSv1.3;
/etc/nginx/nginx.conf:  ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE

Jeremy Davis's picture

The previous one you posted (which still had TLS1 & 1.1 enabled) was what I expected (and hoped for). This one (where it clearly only has TLS1.2 & 1.3 enabled) completely stumps me TBH...

FWIW, you only need 'ssl_protocols' once per https site. We add the /etc/nginx/include/ssl file so multiple https sites can be served, with a single, shared SSL/TLS config. If you wish to use the shared file you just need to include it within each of your site's 'https{}' declaration section. I.e.:

include /etc/nginx/include/ssl;

Still that shouldn't actually cause this issue...!?

FWIW Mozilla has an interactive config generation site which might be worth following? I'm not sure, but perhaps some of the ciphers that are configured and/or the dhparams bitsize is a factor (TBH, I'm not super sure about the intricacies of SSL/TLS) note that the Mozilla link (posted above) should include pre-config of the correct Nginx and OpenSSL version, but please double check.

Also, it's probably not a bad idea to replace the (self-generated on firstboot) dhparams file. Current recommendation is to use an audited set of Diffie-Hellman parameters (the contents of the dhparams file) to be sure that it includes a valid safe prime (the self generated one should in theory, but apparently there are circumstance where it may not). Also the default bitsize of the generated file is only 1024bit. 2048bit minimum bitsize is recommended, but it is quite CPU intensive to generate a file of that size (especially on a headless VM at firstboot where entropy is almost certainly quite low; hence why we default to 1024bit). So rather than generating one, download the audited one from Mozilla (it doesn't need to be secret, just mathematically safe prime):

wget -O /etc/ssl/private/dhparams.pem https://ssl-config.mozilla.org/ffdhe2048.txt

It's perhaps obvious, but just in case, if you copy/paste the config from Mozilla, be sure to adjust the following:

  • 'ssl_certificate' path to /etc/ssl/private/cert.pem
  • 'ssl_certificate_key' path to /etc/ssl/private/cert.key
  • 'ssl_dhparam' path to point to /etc/ssl/private/dhparams.pem

As you would be aware, restarting Nginx after making these changes is required to apply the new settings.

If that doesn't work, please share how you are testing and confirming that it is still supporting TLS1 & 1.1? That way I can have a play myself and see if I can work it out.

Add new comment