Cannot disable TLS 1.0 and TLS 1.1

I wanted to disable TLS 1.0 and 1.1, but failed somehow.

I had multiple vhosts and a default site for Zabbix monitor. In every server section, I placed “ssl_protocols TLSv1.2 TLSv1.3;” and disabled unsafe ciphers.

But nmap told me TLS 1.0/1.1/1.2 were enabled and 1.3 was not, and the cipher were not correct too.

I also tried comments out the protocol line or just left TLSv1.2 or 1.3, but nothing changed.

I searched every file in /etc/nginx folder, but no other ssl_protocols lines found.

Is there anything I missed?

My environment is CentOS 8 and nginx 1.24.0.

Here are key parts of my configs.

/etc/nginx/nginx.conf:

user  nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
     #                 '$status $body_bytes_sent "$http_referer" '
     #                 '"$http_user_agent" "$http_x_forwarded_for"';
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for" $request_time $upstream_addr $upstream_response_time';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    underscores_in_headers on;
    client_max_body_size 50m;
    server_names_hash_bucket_size   512;
    client_body_buffer_size 1024k;

    proxy_cache_path /tmp/cache levels=1:2 keys_zone=cache_one:100m inactive=1d max_size=1g;
    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/vhost/*.conf;
}

/etc/nginx/conf.d/default.conf
server {
    listen       80 default_server;
    listen 443 ssl default_server;
    server_name  _;

    ssl_certificate /etc/nginx/ssl/ssl.pem;
    ssl_certificate_key /etc/nginx/ssl/ssl.key;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE:!3DES:!DES;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }

/etc/nginx/vhost/xxx_sale.conf
server {
    listen 80;
    server_name aaa.xxx.com bbb.xxx.com;
    listen 443 ssl;
    ssl_certificate /etc/nginx/ssl/ssl.pem;
    ssl_certificate_key /etc/nginx/ssl/ssl.key;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE:!3DES:!DES;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;

    location /station {
        proxy_pass http://172.16.30.24;
        proxy_redirect off;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto  $scheme;
    }

/etc/nginx/vhost/xxx_admin.conf
server {
    listen 80;
    server_name ccc.xxx.com;
    return 301 https://$host$request_uri;
}

server {
    server_name ccc.xxx.com;
    listen 443 ssl;
    ssl_certificate /etc/nginx/ssl/ssl.pem;
    ssl_certificate_key /etc/nginx/ssl/ssl.key;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE:!3DES:!DES;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;

    root /data/www/ttp-web;

    location ~* .*\.go$ {
        proxy_pass http://172.16.30.25;
        proxy_redirect off;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto  $scheme;
    }

Running though what info is here it looks like what you have in your setup should work.

• The line in your configs that addresses this, as seen below appears to be the correct syntax ssl_protocols INFO

 ssl_protocols TLSv1.2 TLSv1.3;

• NGINX Version 1.24 while older does support TLSv1.3. Current is 1.29 repo. It might be wise to at least move to 1.28 stable
• CentOS 8 while also older should support TLSv1.3 through OpenSSL 1.1.1c

Let’s look at some other factors that could prevent your TLS 1.0/1.1 disabling configuration from working properly. This is a short list of potential causes but not a full list so let’s start with these and go from there.

1. Configuration Scope, Inheritance Issues, and Multiple NGINX Configuration Files
   SSL directives in server blocks can override global settings I don’t think this is the case but it cannot hurt to validate by double checking that the configs in all locations are limited to just the ones you need and trace through the includes to ensure that you do not have one In the chain that is overriding its predecessor.
2. NGINX Configuration Not Reloaded
   Again just a good idea to run the commands below to ensure everything is loading.

# Test configuration first
nginx -t

# Reload if test passes
nginx -s reload

# OR restart nginx service
systemctl restart nginx

3. Load Balancer or Proxy in Front
   SSL termination happening elsewhere, this one is a bit trickier but best to ensure your not sitting behind a CDN service another load balancer or reverse proxy.

Thx for reply. I tried all your suggestions, but still no work.

Is there anyway to find the root cause from debug log or likewise? But what shall I search for?

Heya! Can you check which version of OpenSSL you are running?

I just upgraded Nginx. Here is the version info.

nginx version: nginx/1.28.0
built by gcc 8.5.0 20210514 (Red Hat 8.5.0-4) (GCC)
built with OpenSSL 1.1.1k  FIPS 25 Mar 2021
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie' --add-module=../nginx_upstream_check_module-master

Just wanted to drop a quick note. I am spinning up a docker instance to help troubleshoot this and validate expected behaviours are valid.

Bear with me I had a few hiccups with Docker today. Soonish I will fire back with some new threads for you to pull on. I appreciate the patience.

Hey again! Whilst @Dylen looks into this a bit further, what happens if you reduce your ssl directives to the bare minimum? Try commenting out everything but ssl_certificate, ssl_certificate_key and ssl_protocols.

Finally! We found the root cause. Someone enabled SSL offload in WAF, but didn’t tell anybody Not a problem of Nginx at all. Sorry for the confusion!

Glad to hear you found the issue!

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.