Disable TLS 1.0 in NGINX
Solution 1:
Go find a server block you want to use as your "default" ssl negotiation template. Find your listen line
server {
...
listen 443 ssl;
ssl_protocols TLSv1.1 TLSv1.2;
...
}
and add default_server
to the end of the line
server {
...
listen 443 ssl default_server;
ssl_protocols TLSv1.1 TLSv1.2;
...
}
This allows nginx to have a configuration when it's negotiating which TLS version to use. The downside is that you can only have one default server per port. So having some virtual domains with TLSv1 enabled and others with it disabled is a no go.
Solution 2:
The problem here is that the Server name indication
part of TLS negotiation is done after the connection itself has been negotiated. And the protocol is negotiated during connection negotiation.
It might be possible to enforce no TLS v1.0 for that virtual host if you configure that virtual host to an IP address on the server that has no other virtual hosts associated with it. Therefore nginx would know based on the IP address that no TLS v 1.0 is allowed.
Solution 3:
I disabled TLSv1 on nginx version 1.8.1. You need to update openssl to 1.0.1g or 1.0.1h versions. Then simply remove 'TLSv1' from ssl_protocols directive:
ssl_protocols TLSv1.1 TLSv1.2
Then check the connection via TLSv1 by command:
openssl s_client -tls1 -connect example.com:443 < /dev/null
You should get something like that:
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1474531027
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---