Table of Contents
  • Home
  • /
  • Blog
  • /
  • How to Disable TLS 1.0 and TLS 1.1 on Your Nginx Server?
December 19, 2023
|
8m

How to Disable TLS 1.0 and TLS 1.1 on Your Nginx Server?


How To Disable Tls 1 0 And Tls 1 1 On Your Nginx Server

Transport Layer Security (TLS) is an important protocol that plays a vital role in helping to secure networks and protect data. TLS works by providing authentication, encryption, and integrity between two endpoints, allowing for secure communication over the internet or any other network. By using strong cryptography and digital certificates, TLS helps ensure that data sent across the network remains private and cannot be intercepted or tampered with by malicious actors.

TLS 1.2 and TLS 1.3 are the two latest versions of the Transport Layer Security (TLS) protocol and offer many advantages over their previous versions. TLS 1.2 is the most widely used version of the TLS protocol, but TLS 1.3 is gaining popularity because of its efficiency and speed. As a server administrator, you should enable TLS 1.2 and TLS 1.3 on your Nginx Server to enhance the security of your application, but wait, that’s not enough. You should also disable TLS 1.0 and TLS 1.1 on your Nginx Server, as they are deprecated for their weak security.

Before learning how to disable TLS 1.0 and TLS 1.1 on your Nginx Server, let’s learn about TLS 1.0 and TLS 1.1 and why you should disable TLS 1.0 and TLS 1.1 on your Nginx Server.

A Short Note About TLS 1.0 and TLS 1.1:

Transport Layer Security (TLS) is a cryptographic protocol designed to provide secure communication over the internet. TLS 1.0 and TLS 1.1 are older versions of the TLS protocol. TLS 1.0 was first defined in 1999 and became widely used on the internet, but it has since been superseded by newer versions due to known vulnerabilities. TLS 1.1 was released in 2006 and addressed some of the vulnerabilities found in TLS 1.0, but it, too, has been superseded by newer versions. Both TLS 1.0 and TLS 1.1 are considered to be relatively weak and susceptible to attacks, and it is recommended to use a newer version of TLS, such as TLS 1.2 or TLS 1.3.

Why You Should Disable TLS 1.0 and TLS 1.1 on Your Nginx Server?

Nginx is a popular web server used by many businesses today and can be configured to support different versions of TLS depending on the needs of the organization. It is highly recommended that organizations disable TLS 1.0 and TLS 1.1 on their Nginx server in order to ensure the highest level of security and protect the data that is being sent over their network.

There are a few reasons why you should disable TLS 1.0 and TLS 1.1 on your Nginx Server:

  1. TLS 1.0 and TLS 1.1 are no longer considered secure due to the fact that they are vulnerable to various attacks, such as the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack, which can allow an attacker to intercept and decrypt sensitive information transmitted over the internet.

  2. Another reason to disable TLS 1.0 and TLS 1.1 is that newer versions of TLS, such as TLS 1.2 and TLS 1.3, offer improved security and performance over the older versions. By using the newer versions, you can take advantage of the latest security features and protocols to protect your server and your users.

  3. Some government agencies, such as the US National Security Agency (NSA), have recommended that TLS 1.0 and TLS 1.1 be disabled.

Attacks TLS 1.0 and TLS 1.1 are Vulnerable To:

There are a number of known vulnerabilities in TLS 1.0 and TLS 1.1 that can be exploited by attackers. These include:

  1. POODLE (Padding Oracle On Downgraded Legacy Encryption)

  2. BEAST (Browser Exploit Against SSL/TLS)

  3. CRIME (Compression Ratio Info-leak Made Easy)

  4. FREAK (Factoring Attack on RSA-EXPORT Keys)

  5. LOGJAM (Diffie-Hellman Key Exchange Weakness)

These vulnerabilities allow attackers to perform man-in-the-middle attacks, decrypt sensitive information, and hijack user sessions. By disabling TLS 1.0 and TLS 1.1 on your Nginx server, you can protect yourself from these attacks.

What is the Alternate to TLS 1.0 and TLS 1.1?

The current version of the TLS protocol is TLS 1.3. TLS 1.3 was first defined in 2018, and it includes a number of security improvements over previous versions of the TLS protocol. We suggest you enable TLS 1.2 and TLS 1.3 on your Nginx Server instead of TLS 1.0 and TLS 1.1.

TLS 1.2 improves upon TLS 1.1 by adding support for Elliptic Curve Cryptography (ECC) and introducing new cryptographic suites that offer better security than the suites used in TLS 1.1. TLS 1.3 improves upon TLS 1.2 by simplifying the handshake process and making it more resistant to man-in-the-middle attacks. In addition, TLS 1.3 introduces new cryptographic suites that offer better security than the suites used in TLS 1.2.

TLS 1.2 and TLS 1.3 are both backward compatible with TLS 1.1 and earlier versions of the protocol. This means that a client that supports TLS 1.2 can communicate with a server that supports TLS 1.1 and vice versa. However, TLS 1.2 and TLS 1.3 are not compatible with each other. A client that supports TLS 1.2 cannot communicate with a server that supports TLS 1.3, and vice versa.

TLS 1.2 is the most widely used version of the TLS protocol, but TLS 1.3 is gaining in popularity. Many major web browsers, including Google Chrome, Mozilla Firefox, and Microsoft Edge, now support TLS 1.3. In addition, major Internet services providers, such as Cloudflare and Akamai, have started to support TLS 1.3 on their servers.

Please visit these posts to learn more about TLS 1.2 and TLS 1.3:

How to Disable TLS 1.0 and TLS 1.1 on Nginx Server?

Disabling TLS 1.0 and TLS 1.1 on your Nginx server is an important security step, as these older encryption protocols are considered insecure and have several known vulnerabilities. By disabling them, you can help protect your server from malicious actors seeking to exploit these weaknesses.

To disable TLS 1.0 and TLS 1.1 on your Nginx server, you will need to edit the Nginx configuration file. The location of this file may vary depending on your setup. If you don’t have server blocks (VMs for multi-site configuration) configured on your Nginx, then the configuration file would be typically located at /etc/nginx/nginx.conf or /etc/nginx/conf.d/ssl.conf.

On our server, we configured multiple server blocks, one for each site underneath /etc/nginx/sites-available/<domain_name>. 

For example,/etc/nginx/sites-available/thesecmaster.local for our internal application’ thesecmaster.local’.

$ cat /etc/nginx/sites-available/thesecmaster.local

Step 1. Check the SSL/TLS versions enabled on your application

Well, you can check the SSL/TLS versions using any online or offline tools. Visit this TLS Checker online tool to check the SSL/TLS versions of your public site. If you want to check it offline, we recommend Nmap to use. Run this Nmap command to check the SSL/TLS versions of both public and internal applications. However, make sure you have Nmap installed on your server and internet connection if you want to use Nmap to verify the public site.

$ nmap –script ssl-enum-ciphers -p <PORT> <DOMAIN NAME>


Step 2. Open the SSL configuration file in a text editor

The configuration file would be in a different location depending on how the Nginx is configured to work. If you don’t have separate server blocks (separate Virtual Hosts for multi-site configuration) configured on your Nginx, then the configuration file would be typically located either at /etc/nginx/nginx.conf or /etc/nginx/conf.d/ssl.conf.
On our server, we configured multiple server blocks, one for each site underneath
/etc/nginx/sites-available/<domain_name>.

$ sudo nano /etc/nginx/sites-available/thesecmaster.local


Step 3. Disable TLS 1.0 and TLS 1.1 on Nginx Server

To do this, locate the ‘ssl_protocols’ directive in the configuration file and remove the TLSv1.0 TLSv1.1 as shown in the above picture, and save the file. That’s it.

  1. Restart the Nginx server and validate the configuration settings

    Restart the Nginx service using this domain.

    $ sudo systemctl restart nginx


    Test the Nginx configuration.

    $ sudo nginx -t

    If you see a successful message. You can access the site over HTTPS secure channel.


We hope this post would help you know how to disable TLS 1.0 and TLS 1.1 on your Nginx Server, as they are deprecated for their weak security. Please share this post if you find this interested. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram and subscribe to receive updates like this.

You may also like these articles:

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

How To

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.

Tools

Featured

View All

Learn Something New with Free Email subscription

Subscribe

Subscribe