How to completely disable TLS v1 from Nginx?

Published in

zurassic

1 min readJan 26, 2019

One of my production web app needs to pass compliance and TLS v1 is not acceptable. I’m using Nginx docker image as my reverse proxy and removing TLS v1 seems easy according to Google:

Not able to disable tls 1.1 for nginx

Spent many hours, but can't fix it. I'm not able to disable TLS 1.1. That's required to use Stripe or any other CC…

serverfault.com

Nginx How to Disable TLS 1.0 " CentOS Questions

Nginx How to Disable TLS 1.0 Are you getting a bad SSL grade when checking your website? Test your website with an SSL…

centosquestions.com

All articles suggest to remove ‘TLS v1" from nginx config file and I did that, but it didn’t work.

After another hour of testing, here is the solution I find out that worked:

add a ‘default_server’ to one of your server block

In summary:

How to remove?

remove TLS v1 from nginx config file
in the same file, add default_server to one of your server block: listen 443 ssl default_server;

How to test?

There are several ways of testing the configuration

From web UI: https://www.ssllabs.com/ssltest/analyze.html
Using nmap: nmap — script ssl-enum-ciphers -p 443 www.your-site.com
Using openssl: openssl s_client -connect www.your-site.com:443 -tls1 < /dev/null