2

It seems to be a straightforward configuration setting, but I cannot disable TLSv1.1.

nginx.conf in /etc/nginx:

ssl_protocols TLSv1.2;

Domain configuration last_nginx.conf (changed via Plesk templates in nginxDomainVirtualHost.php):

ssl_protocols                TLSv1.2;    
ssl_ciphers                 ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!SRP:!CAMELLIA;

ssl_prefer_server_ciphers   on;
ssl_dhparam /etc/nginx/ssl/server.dh_pem;

Still the TLSv1.1 is enabled and, when tested with openssl returns this:

openssl s_client -tls1_1 -connect mydomain.com:443 < /dev/null

    New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: E298E87276A0776AF736439AF260FE0F92B17330ED97D5F3C2F87CF02C3F75A8

What am I missing here? Why is TLSv1.1 still enabled though only TLSv1.2 was specified?

Any suggestions how to disable TLSv1.1?

Thanks!

user2723490
  • 257
  • 1
  • 3
  • 9

1 Answers1

1

This is speculation as you did not post your fully (sanitized) configuration, but most likely have are using a shared listen block across multiple servers. Though the configuration syntax makes it seem possible, you actually cannot have disparate cipher specs across server blocks that share the same listen.

More specifically:

server {
   listen 443 ssl;
   server_name tls.example.com;
}

server {
   listen 443 ssl;
   server_name tls12.example.com;
   ssl_protocols TLSv1.2;
}

If you were to curl tls12.example.com here you would find that it has 1.1 support. However if you were to add the same restriction to the tls.example.com server, only 1.2 would be supported.

The only real fix is to use a dedicated IP for the restriction, or ensure that all server blocks for that (ip,port) combination have the same SSL cipher settings.

Side note: The discussion above also applies to enabling/disabling HTTP/2.

Joshua DeWald
  • 306
  • 1
  • 6