Nginx How to Disable TLS 1.0
Are you getting a bad SSL grade when checking your website?
Test your website with an SSL Server Test, before I started this process my site was secure however it was getting a B grade, because I had default settings which included old protocols that should be disabled like TLS v1.0.
This was my starting configuration
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
...
}
You can see that I’m using Certbot to automatically generate a Let’s Encrypt certificate you can read more about that in my previous post.
The TLS v1, 1.1 and 1.2 are enabled by default we need to add a line, to only enabled the desired protocols
ssl_protocols TLSv1.1 TLSv1.2;
Actually you can see I added a couple of lines of ssl settings.
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
}
Once you are done, and reloaded your configuration, lets go back to the SSL Server Test page and verify that we have a better grade after updating our settings.