To increase nginx security, one of the thing that we can configure is, to disable old TLS. At this current moment, TLSv1.3 is the gold standard, and TLSv1 and TLSv1.1 should not be enabled in production nginx.
To disable TLSv1 and TLSv1.1, just go to /etc/nginx/nginx.conf, find ssl_protocols line and change it to look like below
ssl_protocols TLSv1.2 TLSv1.3;
Test your configuration for any syntax error
sudo nginx -t
And restart your nginx to activate the setting
sudo systemctl restart nginx
In order to quickly check if our nginx no longer support TLSv1 and TLSv1.1, use nmap command as below
nmap --script ssl-enum-ciphers -p 443 www.mytlssite.com
Or, we can use one of the free web based SSL test tools:
- https://www.ssllabs.com/ssltest/
- https://www.cdn77.com/tls-test
- https://www.thesslstore.com/ssltools/ssl-checker.php
- https://gf.dev/tls-scanner
- https://gf.dev/tls-test
- https://www.wormly.com/test_ssl
- https://www.digicert.com/help/
- https://www.sslshopper.com/ssl-checker.html
- https://observatory.mozilla.org/
- https://tls.imirhil.fr/
- https://www.sslchecker.com/sslchecker