Enable TLS 1.0 and TLS 1.1 on Ubuntu 20.04
Solution 1
I finally found out how to enable for nginx (afraid I don't know how to do it system-wide) and other services with a configuration allowing changing ciphers.
Source: man ciphers.1ssl
Edit your nginx configuration and amend your cipherlist to add the pseudocipher @SECLEVEL=1.
Example:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
becomes
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
# seclevel for TLS 1.0 and 1.1
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:@SECLEVEL=1";
Solution 2
For GnuTLS, as explained in
https://discourse.ubuntu.com/t/default-to-tls-v1-2-in-all-tls-libraries-in-20-04-lts/12464/8
create /etc/gnutls/config (both directory and files were missing)
with the following content:
[overrides]
default-priority-string = NORMAL
This was enough to fix the following error in evolution (due to a pop3 server lacking TLS-1.2 support):
A packet with illegal or unsupported version was received
There were other instructions in this link for system-wide openSSL "fix", not tested.
Related videos on Youtube
05 : 20
11 : 59
08 : 20
03 : 48
00 : 34
reivilibre
Updated on September 18, 2022Comments
-
reivilibre over 1 year
I have recently reinstalled my server to Ubuntu 20.04.
A support call came in and after a few days, I managed to notice that TLS v1.0 and v1.1 were not being provided by my web server,
nginx. The configuration was fine and explicitly enables TLSv1 and TLSv1.1. Nothing appeared in nginx's logs…Later on, I notice that nothing seems to work with TLS 1.0 or 1.1 anymore.
openssl s_client -tls1 -connect matrix.org:443doesn't work (it fails withno protocols available), whereas it does under Ubuntu 18.04.Someone else at this question is no longer able to connect to their MySQL server that doesn't support TLS v1.2.
I am starting to suspect that this may be an intentional change to Ubuntu, but I can't find anything in the release notes and I also can't find out how to re-enable TLS v1.0 and v1.1 since I really need it to support some older users' devices (mainly Android phones).
How can TLS v1.0 and/or v1.1 be re-enabled?
Many thanks.
I tried modifying
/etc/ssl/openssl.cnf(which is symlinked to by/usr/lib/ssl/openssl.cnf) to addopenssl_conf = default_conf [ default_conf ] ssl_conf = ssl_sect [ ssl_sect ] system_default = system_default_sect [ system_default_sect ] MinProtocol = TLSv1 DEFAULT@SECLEVEL = 1This did not result in any difference when using the
opensslcommand shown before (I tried both 'TLSv1' and 'TLSv1.0' as the MinProtocol).-
Admin almost 4 yearsI noticed that TLS 1.0 (deprecated in 2018) and TLS 1.1 (deprecated at the end of 2019) have been almost entirely removed out of Ubuntu and have seen evidence that this was done on purpose. TLS 1.3 has been out for 2 years now and I guess the Ubuntu team didn't want to carry on maintaining code that was officially deprecated. However, I do still have much the same problem that you do which is how to enable TLS 1.1 in the latest version of Ubuntu. -
Admin almost 4 yearsI'm faced with the same problem. I've also tried the above and it doesn't work.
-