Linux disable TLS 1.0 and TLS 1.1 on Nginx

If you are using Nginx on Linux and wish to disable certain TLS protocols like TLS 1.0 and TLS 1.1, you can do so as follows:

1. Change Nginx config

Open up the following file in your favorite editor (e.g. nano):

sudo nano /etc/nginx/nginx.conf

Somewhere in this file, look for the following line which starts with “ssl_protocols”:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

In the example above, it means that TLS 1.0, TLS 1.1 and TLS 1.2 are enabled. Simply change this line to enable or disable the TLS versions that you wish.

For example, if we want to disable TLS 1.0 and TLS 1.1, and only support TLS 1.2 change the line above to:

ssl_protocols TLSv1.2;

Optional: if you are running Nginx v1.13.0+ (check with sudo nginx -v) you can also enable TLS v1.3 which has some performance improvements. Most modern browsers already support this protocol. To do this alter the line above to:

ssl_protocols TLSv1.2 TLSv1.3;

Afterwards, save and exit the file.

2. Restart Nginx service

Now, we need to restart the Nginx service to apply the changes:

sudo service nginx restart

After restarting, check if the service is running properly with:

sudo service nginx status

If everything went OK, then this command should report the following Active: active (running) since ...:

Redirecting to /bin/systemctl status nginx.service
● nginx.service - The nginx HTTP and reverse proxy server
   Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
  Drop-In: /usr/lib/systemd/system/nginx.service.d
           └─php-fpm.conf
   Active: active (running) since Fri 2021-12-17 11:09:03 CET; 6min ago
  Process: 434007 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS)
  Process: 434004 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=0/SUCCESS)
  Process: 434000 ExecStartPre=/usr/bin/rm -f /run/nginx.pid (code=exited, status=0/SUCCESS)
 Main PID: 434008 (nginx)
    Tasks: 5 (limit: 49464)
   Memory: 7.7M
   CGroup: /system.slice/nginx.service
           ├─434008 nginx: master process /usr/sbin/nginx
           ├─434009 nginx: worker process
           ├─434010 nginx: worker process
           ├─434011 nginx: worker process
           └─434012 nginx: worker process

Success!

Tip: check out our other article if you wish to check which TLS versions the webserver supports.

By Leendert de Borst

Freelance software architect with 10+ years of experience. Expert in translating complex technical problems into creative & simple solutions.

Leave a comment

Your email address will not be published. Required fields are marked *