I wanted to disable TLS 1.0 and 1.1, but failed somehow.
I had multiple vhosts and a default site for Zabbix monitor. In every server section, I placed “ssl_protocols TLSv1.2 TLSv1.3;” and disabled unsafe ciphers.
But nmap told me TLS 1.0/1.1/1.2 were enabled and 1.3 was not, and the cipher were not correct too.
I also tried comments out the protocol line or just left TLSv1.2 or 1.3, but nothing changed.
I searched every file in /etc/nginx folder, but no other ssl_protocols lines found.
Running though what info is here it looks like what you have in your setup should work.
The line in your configs that addresses this, as seen below appears to be the correct syntax ssl_protocols INFO
ssl_protocols TLSv1.2 TLSv1.3;
NGINX Version 1.24 while older does support TLSv1.3. Current is 1.29 repo. It might be wise to at least move to 1.28 stable
CentOS 8 while also older should support TLSv1.3 through OpenSSL 1.1.1c
Let’s look at some other factors that could prevent your TLS 1.0/1.1 disabling configuration from working properly. This is a short list of potential causes but not a full list so let’s start with these and go from there.
Configuration Scope, Inheritance Issues, and Multiple NGINX Configuration Files
SSL directives in server blocks can override global settings I don’t think this is the case but it cannot hurt to validate by double checking that the configs in all locations are limited to just the ones you need and trace through the includes to ensure that you do not have one In the chain that is overriding its predecessor.
NGINX Configuration Not Reloaded
Again just a good idea to run the commands below to ensure everything is loading.
# Test configuration first
nginx -t
# Reload if test passes
nginx -s reload
# OR restart nginx service
systemctl restart nginx
Load Balancer or Proxy in Front
SSL termination happening elsewhere, this one is a bit trickier but best to ensure your not sitting behind a CDN service another load balancer or reverse proxy.
Hey again! Whilst @Dylen looks into this a bit further, what happens if you reduce your ssl directives to the bare minimum? Try commenting out everything but ssl_certificate, ssl_certificate_key and ssl_protocols.