How to enable TLS 1.2 in Nginx?
Solution 1
First you need to activate SSL/TLS in your nginx.conf:
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name example.org;
ssl_certificate /etc/ssl/example.org.crt;
ssl_certificate_key /etc/ssl/private/example.org.key;
The two listen lines enable SSL at your IPv4 and IPv6 connection. If you have no IPv6 you might leave out the second listen line.
I assume that your server certificate is in /etc/ssl. If you use another path, you'd change the last two lines.
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
This enables different TLS versions. All current browsers are able to use TLS1.2. For older browsers I wrote a small howto enable secure settings.
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA;
ssl_prefer_server_ciphers on;
The first line sets the ciphers which your nignx should use. The second line prefers the cipher suites on the server (and not the client) side. So you can use strong(er) ciphers.
If you're done, your nginx should use TLS1.2. If you'd like, you can add your site to a TLS1.2 hall of fame and be proud. ;)
However there are several methods to improve the settings. I follow this german guide for secure nginx configuration.
Solution 2
There are numerous security advisories that have been addressed in subsequent versions of nginx. If you're still (6 months stale post?) in this situation, seriously consider upgrading; TLS settings won't matter if the web server itself is insecure. See http://nginx.org/en/security_advisories.html for details.
If, for some reason you MUST run this version of nginx, the information available on enabling strong cipher suites with nginx (or Apache) here will probably help: https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy
Related videos on Youtube
02 : 44
03 : 38
11 : 54
11 : 59
10 : 14
codefx
Updated on September 18, 2022Comments
-
codefx over 1 year
How do I enable TLS 1.1 and 1.2 for SSL connections in my Ubuntu 12.04 server? I am using the following version of nginx and openssl library.
$ ./nginx -v nginx version: nginx/1.2.3 $ openssl version -a OpenSSL 1.0.1 14 Mar 2012 built on: Tue Jun 4 07:26:06 UTC 2013 platform: debian-amd64 options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DOPENSSL_NO_TLS1_2_CLIENT -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM OPENSSLDIR: "/usr/lib/ssl" -
Amaury about 10 yearsUbuntu 12 disables TLS 1.1 and TLS 1.2 for interop reasons. I think they recently enabled TLS 1.1, but I believe TLS 1.2 is still lacking. See OpenSSL downlevel version is 1.0.0, and does not support TLS 1.2.
