I am setting up web servers for best practice TLS.
The issue is TLS 1.0 which is deprecated
I want to remove it from the available protocols and have done the usual
##
# SSL Settings
##
ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
However the absence of TLSv1 in the list doesn't stop the server offering
it.
I have checked carefully for prior syntax errors in the configuration and
there are none.
The configuration is set in the main nginx.conf file and used by one or more
enabled sites attached to specific IP addresses. The enabled sites do not
change the ssl_protocols.
My environment:
nginx version: nginx/1.10.3
built with OpenSSL 1.1.0f 25 May 2017
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2
-fdebug-prefix-map=/build/nginx-tLEWFX/nginx-1.10.3=.
-fstack-protector-strong -Wformat -Werror=format-security -Wdate-time
-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now'
--prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf
--http-log-path=/var/log/nginx/access.log
--error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock
--pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules
--http-client-body-temp-path=/var/lib/nginx/body
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi
--http-proxy-temp-path=/var/lib/nginx/proxy
--http-scgi-temp-path=/var/lib/nginx/scgi
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit
--with-ipv6 --with-http_ssl_module --with-http_stub_status_module
--with-http_realip_module --with-http_auth_request_module
--with-http_v2_module --with-http_dav_module --with-http_slice_module
--with-threads --with-http_addition_module --with-http_geoip_module=dynamic
--with-http_gunzip_module --with-http_gzip_static_module
--with-http_image_filter_module=dynamic --with-http_sub_module
--with-http_xslt_module=dynamic --with-stream=dynamic
--with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module
--add-dynamic-module=/build/nginx-tLEWFX/nginx-1.10.3/debian/modules/nginx-auth-pam
--add-dynamic-module=/build/nginx-tLEWFX/nginx-1.10.3/debian/modules/nginx-dav-ext-module
--add-dynamic-module=/build/nginx-tLEWFX/nginx-1.10.3/debian/modules/nginx-echo
--add-dynamic-module=/build/nginx-tLEWFX/nginx-1.10.3/debian/modules/nginx-upstream-fair
--add-dynamic-module=/build/nginx-tLEWFX/nginx-1.10.3/debian/modules/ngx_http_substitutions_filter_module
My config file - part
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
# keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;
server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
error_log /var/log/nginx/error.log info;
##
# SSL Settings
##
ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
# enable session resumption to improve https performance
#
http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
# Stapling
ssl_stapling on;
ssl_stapling_verify on;
# ssl ecdh curve
ssl_ecdh_curve secp384r1;
# DH Parameters
ssl_dhparam /etc/ssl/dhparams.pem;
# Header security
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
....
}
Posted at Nginx Forum:
https://forum.nginx.org/read.php?2,282020,282020#msg-282020
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
