To configure Nginx to use only TLS 1.2 or 1.3, you will need to modify the Nginx configuration file.
- Open the Nginx configuration file located at /etc/nginx/nginx.conf in a text editor.
- Find the “http” block in the file and add the following line:
ssl_protocols TLSv1.2 TLSv1.3;
This will tell Nginx to only use TLS 1.2 and 1.3.
- If you only want to use a specific version of TLS, you can specify only that version in the ssl_protocols directive instead of both versions.
- If you want to disable a specific version of TLS, you can add the ssl_ciphers directive in the http block, and specify the ciphers that you want to disable, for example:
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
Note that you should use a strong set of ciphers that are considered secure, it’s recommended to use the Mozilla recommended ciphers, as they are regularly updated to reflect the current security landscape.
- Save the configuration file and close it.
- Test the configuration by running the following command:
sudo nginx -t
This command checks the configuration file for any errors.
- If the configuration is correct, reload Nginx to apply the changes:
sudo systemctl reload nginx
- You can check the SSL/TLS version that the server is using by using online SSL checker such as SSL Labs, or by using openssl s_client command.
It’s important to note that this configuration will only disable certain versions of SSL/TLS, but it will not ensure that the server is configured securely. To ensure that your server is configured securely, you should follow best practices and guidelines for server hardening and regularly update your system and software.