Ubuntu – How to enable TLS 1.2 in Nginx


How do I enable TLS 1.1 and 1.2 for SSL connections in my Ubuntu 12.04 server? I am using the following version of nginx and openssl library.

$ ./nginx -v
nginx version: nginx/1.2.3

$ openssl version -a
OpenSSL 1.0.1 14 Mar 2012
built on: Tue Jun  4 07:26:06 UTC 2013
platform: debian-amd64
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) 
compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DOPENSSL_NO_TLS1_2_CLIENT -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl"

Best Answer

First you need to activate SSL/TLS in your nginx.conf:

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name example.org;

    ssl_certificate /etc/ssl/example.org.crt;
    ssl_certificate_key /etc/ssl/private/example.org.key;

The two listen lines enable SSL at your IPv4 and IPv6 connection. If you have no IPv6 you might leave out the second listen line.

I assume that your server certificate is in /etc/ssl. If you use another path, you'd change the last two lines.

ssl_protocols TLSv1.2 TLSv1.1 TLSv1;

This enables different TLS versions. All current browsers are able to use TLS1.2. For older browsers I wrote a small howto enable secure settings.

ssl_prefer_server_ciphers on;

The first line sets the ciphers which your nignx should use. The second line prefers the cipher suites on the server (and not the client) side. So you can use strong(er) ciphers.

If you're done, your nginx should use TLS1.2. If you'd like, you can add your site to a TLS1.2 hall of fame and be proud. ;)

However there are several methods to improve the settings. I follow this german guide for secure nginx configuration.

Related Question