Nginx How to Disable TLS 1.0

Are you getting a bad SSL grade when checking your website?

Test your website with an SSL Server Test, before I started this process my site was secure however it was getting a B grade, because I had default settings which included old protocols that should be disabled like TLS v1.0.

This was my starting configuration

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;

  server_name example.com;
  ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
...
}

You can see that I’m using Certbot to automatically generate a Let’s Encrypt certificate you can read more about that in my previous post.

The TLS v1, 1.1 and 1.2 are enabled by default we need to add a line, to only enabled the desired protocols

 ssl_protocols TLSv1.1 TLSv1.2;

Actually you can see I added a couple of lines of ssl settings.

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;

  server_name example.com;
  ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
  ssl_session_cache shared:SSL:1m;
  ssl_session_timeout 10m;
  ssl_ciphers HIGH:!aNULL:!MD5;
  ssl_protocols TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
}

Once you are done, and reloaded your configuration, lets go back to the SSL Server Test page and verify that we have a better grade after updating our settings.