How to Disable TLS 1.0 and TLS 1.1 on Your Nginx Server?

Transport Layer Security (TLS) is an important protocol that plays a vital role in helping to secure networks and protect data. TLS works by providing authentication, encryption, and integrity between two endpoints, allowing for secure communication over the internet or any other network. By using strong cryptography and digital certificates, TLS helps ensure that data sent across the network remains private and cannot be intercepted or tampered with by malicious actors.

TLS 1.2 and TLS 1.3 are the two latest versions of the Transport Layer Security (TLS) protocol and offer many advantages over their previous versions. TLS 1.2 is the most widely used version of the TLS protocol, but TLS 1.3 is gaining popularity because of its efficiency and speed. As a server administrator, you should enable TLS 1.2 and TLS 1.3 on your Nginx Server to enhance the security of your application, but wait, that’s not enough. You should also disable TLS 1.0 and TLS 1.1 on your Nginx Server, as they are deprecated for their weak security.

Before learning how to disable TLS 1.0 and TLS 1.1 on your Nginx Server, let’s learn about TLS 1.0 and TLS 1.1 and why you should disable TLS 1.0 and TLS 1.1 on your Nginx Server.

A Short Note About TLS 1.0 and TLS 1.1:

Transport Layer Security (TLS) is a cryptographic protocol designed to provide secure communication over the internet. TLS 1.0 and TLS 1.1 are older versions of the TLS protocol. TLS 1.0 was first defined in 1999 and became widely used on the internet, but it has since been superseded by newer versions due to known vulnerabilities. TLS 1.1 was released in 2006 and addressed some of the vulnerabilities found in TLS 1.0, but it, too, has been superseded by newer versions. Both TLS 1.0 and TLS 1.1 are considered to be relatively weak and susceptible to attacks, and it is recommended to use a newer version of TLS, such as TLS 1.2 or TLS 1.3.

Why You Should Disable TLS 1.0 and TLS 1.1 on Your Nginx Server?

Nginx is a popular web server used by many businesses today and can be configured to support different versions of TLS depending on the needs of the organization. It is highly recommended that organizations disable TLS 1.0 and TLS 1.1 on their Nginx server in order to ensure the highest level of security and protect the data that is being sent over their network.

There are a few reasons why you should disable TLS 1.0 and TLS 1.1 on your Nginx Server:

Attacks TLS 1.0 and TLS 1.1 are Vulnerable To:

There are a number of known vulnerabilities in TLS 1.0 and TLS 1.1 that can be exploited by attackers. These include:

These vulnerabilities allow attackers to perform man-in-the-middle attacks, decrypt sensitive information, and hijack user sessions. By disabling TLS 1.0 and TLS 1.1 on your Nginx server, you can protect yourself from these attacks.

What is the Alternate to TLS 1.0 and TLS 1.1?

The current version of the TLS protocol is TLS 1.3. TLS 1.3 was first defined in 2018, and it includes a number of security improvements over previous versions of the TLS protocol. We suggest you enable TLS 1.2 and TLS 1.3 on your Nginx Server instead of TLS 1.0 and TLS 1.1.

TLS 1.2 improves upon TLS 1.1 by adding support for Elliptic Curve Cryptography (ECC) and introducing new cryptographic suites that offer better security than the suites used in TLS 1.1. TLS 1.3 improves upon TLS 1.2 by simplifying the handshake process and making it more resistant to man-in-the-middle attacks. In addition, TLS 1.3 introduces new cryptographic suites that offer better security than the suites used in TLS 1.2.

TLS 1.2 and TLS 1.3 are both backward compatible with TLS 1.1 and earlier versions of the protocol. This means that a client that supports TLS 1.2 can communicate with a server that supports TLS 1.1 and vice versa. However, TLS 1.2 and TLS 1.3 are not compatible with each other. A client that supports TLS 1.2 cannot communicate with a server that supports TLS 1.3, and vice versa.

TLS 1.2 is the most widely used version of the TLS protocol, but TLS 1.3 is gaining in popularity. Many major web browsers, including Google Chrome, Mozilla Firefox, and Microsoft Edge, now support TLS 1.3. In addition, major Internet services providers, such as Cloudflare and Akamai, have started to support TLS 1.3 on their servers.

Please visit these posts to learn more about TLS 1.2 and TLS 1.3:

How to Disable TLS 1.0 and TLS 1.1 on Nginx Server?

Disabling TLS 1.0 and TLS 1.1 on your Nginx server is an important security step, as these older encryption protocols are considered insecure and have several known vulnerabilities. By disabling them, you can help protect your server from malicious actors seeking to exploit these weaknesses.

To disable TLS 1.0 and TLS 1.1 on your Nginx server, you will need to edit the Nginx configuration file. The location of this file may vary depending on your setup. If you don’t have server blocks (VMs for multi-site configuration) configured on your Nginx, then the configuration file would be typically located at /etc/nginx/nginx.conf or /etc/nginx/conf.d/ssl.conf.

On our server, we configured multiple server blocks, one for each site underneath /etc/nginx/sites-available/<domain_name>. 

For example,/etc/nginx/sites-available/thesecmaster.local for our internal application’ thesecmaster.local’.

$ cat /etc/nginx/sites-available/thesecmaster.local

Step 1. Check the SSL/TLS versions enabled on your application

Well, you can check the SSL/TLS versions using any online or offline tools. Visit this TLS Checker online tool to check the SSL/TLS versions of your public site. If you want to check it offline, we recommend Nmap to use. Run this Nmap command to check the SSL/TLS versions of both public and internal applications. However, make sure you have Nmap installed on your server and internet connection if you want to use Nmap to verify the public site.

$ nmap –script ssl-enum-ciphers -p <PORT> <DOMAIN NAME>

Step 2. Open the SSL configuration file in a text editor

The configuration file would be in a different location depending on how the Nginx is configured to work. If you don’t have separate server blocks (separate Virtual Hosts for multi-site configuration) configured on your Nginx, then the configuration file would be typically located either at /etc/nginx/nginx.conf or /etc/nginx/conf.d/ssl.conf.
On our server, we configured multiple server blocks, one for each site underneath /etc/nginx/sites-available/<domain_name>.

$ sudo nano /etc/nginx/sites-available/thesecmaster.local

Step 3. Disable TLS 1.0 and TLS 1.1 on Nginx Server

To do this, locate the ‘ssl_protocols’ directive in the configuration file and remove the TLSv1.0 TLSv1.1 as shown in the above picture, and save the file. That’s it.

We hope this post would help you know how to disable TLS 1.0 and TLS 1.1 on your Nginx Server, as they are deprecated for their weak security. Please share this post if you find this interested. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram and subscribe to receive updates like this.