Friday, January 28, 2022

Disabling old TLS in nginx

To increase nginx security, one of the thing that we can configure is, to disable old TLS. At this current moment, TLSv1.3 is the gold standard, and TLSv1 and TLSv1.1 should not be enabled in production nginx.

To disable TLSv1 and TLSv1.1, just go to /etc/nginx/nginx.conf, find ssl_protocols line and change it to look like below

ssl_protocols TLSv1.2 TLSv1.3;

Test your configuration for any syntax error

sudo nginx -t

And restart your nginx to activate the setting

sudo systemctl restart nginx

In order to quickly check if our nginx no longer support TLSv1 and TLSv1.1, use nmap command as below

 nmap --script ssl-enum-ciphers -p 443 www.mytlssite.com

Or, we can use one of the free web based SSL test tools:

  1. https://www.ssllabs.com/ssltest/
  2. https://www.cdn77.com/tls-test 
  3. https://www.thesslstore.com/ssltools/ssl-checker.php
  4. https://gf.dev/tls-scanner
  5. https://gf.dev/tls-test
  6. https://www.wormly.com/test_ssl
  7. https://www.digicert.com/help/
  8. https://www.sslshopper.com/ssl-checker.html
  9. https://observatory.mozilla.org/
  10. https://tls.imirhil.fr/
  11. https://www.sslchecker.com/sslchecker

 

 

No comments: