If you are using Nginx on Linux and wish to disable certain TLS protocols like TLS 1.0 and TLS 1.1, you can do so as follows:
1. Change Nginx config
Open up the following file in your favorite editor (e.g. nano):
sudo nano /etc/nginx/nginx.conf
Somewhere in this file, look for the following line which starts with “ssl_protocols”:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
In the example above, it means that TLS 1.0, TLS 1.1 and TLS 1.2 are enabled. Simply change this line to enable or disable the TLS versions that you wish.
For example, if we want to disable TLS 1.0 and TLS 1.1, and only support TLS 1.2 change the line above to:
Optional: if you are running Nginx v1.13.0+ (check with
sudo nginx -v) you can also enable TLS v1.3 which has some performance improvements. Most modern browsers already support this protocol. To do this alter the line above to:
ssl_protocols TLSv1.2 TLSv1.3;
Afterwards, save and exit the file.
2. Restart Nginx service
Now, we need to restart the Nginx service to apply the changes:
sudo service nginx restart
After restarting, check if the service is running properly with:
sudo service nginx status
If everything went OK, then this command should report the following
Active: active (running) since ...:
Redirecting to /bin/systemctl status nginx.service ● nginx.service - The nginx HTTP and reverse proxy server Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled) Drop-In: /usr/lib/systemd/system/nginx.service.d └─php-fpm.conf Active: active (running) since Fri 2021-12-17 11:09:03 CET; 6min ago Process: 434007 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS) Process: 434004 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=0/SUCCESS) Process: 434000 ExecStartPre=/usr/bin/rm -f /run/nginx.pid (code=exited, status=0/SUCCESS) Main PID: 434008 (nginx) Tasks: 5 (limit: 49464) Memory: 7.7M CGroup: /system.slice/nginx.service ├─434008 nginx: master process /usr/sbin/nginx ├─434009 nginx: worker process ├─434010 nginx: worker process ├─434011 nginx: worker process └─434012 nginx: worker process
Tip: check out our other article if you wish to check which TLS versions the webserver supports.