Ubuntu – How to enable TLS 1.2 in Nginx

nginxopenssl

How do I enable TLS 1.1 and 1.2 for SSL connections in my Ubuntu 12.04 server? I am using the following version of nginx and openssl library.

$ ./nginx -v
nginx version: nginx/1.2.3

$ openssl version -a
OpenSSL 1.0.1 14 Mar 2012
built on: Tue Jun  4 07:26:06 UTC 2013
platform: debian-amd64
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) 
compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DOPENSSL_NO_TLS1_2_CLIENT -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl"

Best Answer

First you need to activate SSL/TLS in your nginx.conf:

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name example.org;

    ssl_certificate /etc/ssl/example.org.crt;
    ssl_certificate_key /etc/ssl/private/example.org.key;

The two listen lines enable SSL at your IPv4 and IPv6 connection. If you have no IPv6 you might leave out the second listen line.

I assume that your server certificate is in /etc/ssl. If you use another path, you'd change the last two lines.

ssl_protocols TLSv1.2 TLSv1.1 TLSv1;

This enables different TLS versions. All current browsers are able to use TLS1.2. For older browsers I wrote a small howto enable secure settings.

ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA;
ssl_prefer_server_ciphers on;

The first line sets the ciphers which your nignx should use. The second line prefers the cipher suites on the server (and not the client) side. So you can use strong(er) ciphers.

If you're done, your nginx should use TLS1.2. If you'd like, you can add your site to a TLS1.2 hall of fame and be proud. ;)

However there are several methods to improve the settings. I follow this german guide for secure nginx configuration.

Related Solutions

Ubuntu – How to enable TLS 1.2 in apache

In order to use TLSv1.1 and TLSv1.2 for SSLProtocol, you need at least version 2.2.23 (in addition to OpenSSL 1.0.1 or higher).

Once you have the latest,

Add

SSLProtocol TLSv1.1

/etc/httpd/conf.d/ssl.conf

Ubuntu – Enable TLS 1.0 and TLS 1.1 on Ubuntu 20.04

I finally found out how to enable for nginx (afraid I don't know how to do it system-wide) and other services with a configuration allowing changing ciphers.

Source: man ciphers.1ssl

Edit your nginx configuration and amend your cipherlist to add the pseudocipher @SECLEVEL=1.

Example:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";

becomes

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
# seclevel for TLS 1.0 and 1.1
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:@SECLEVEL=1";

Best Answer

Related Solutions

Ubuntu – How to enable TLS 1.2 in apache

Ubuntu – Enable TLS 1.0 and TLS 1.1 on Ubuntu 20.04

Related Question