Nginx : TLS 1.2 support




Couple of days back I was toying with this website https://www.ssllabs.com/ssltest/ to see how good is my website SSL strength. Unfortunately, from the report.... got a B grade. The reason given is that TLS 1.2 is not supported.

To enable TLS 1.2 support in Nginx, do the following

Check if your OpenSSL version is up to date with openssl version -a command and you should see output like :

OpenSSL 1.0.1i 6 Aug 2014

built on: Thu Aug 7 09:43:31 UTC 2014

platform: linux-x86_64

options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)

compiler: gcc -DOPENSSLTHREADS -DREENTRANT -DDSODLFCN -DHAVEDLFCNH -Wa,--noexecstack -m64 -DLENDIAN -DTERMIO -O3 -Wall -

DOPENSSLIA32SSE2 -DOPENSSLBNASMMONT -DOPENSSLBNASMMONT5 -DOPENSSLBNASMGF2m -DSHA1ASM -DSHA256_ASM -

DSHA512ASM -DMD5ASM -DAESASM -DVPAESASM -DBSAESASM -DWHIRLPOOLASM -DGHASH_ASM

OPENSSLDIR: "/usr/local/ssl"

At minimum get openssl version 1.0.1 and above

Next step is go to nginx configuration directory. In my case, it is located at /usr/local/nginx/conf and modify nginx.conf file.

search for the ssl_protocols config line such as

ssl_protocols SSLv2 SSLv3 TLSv1;

and change the line by adding TLSv1.2 and TLSv1.1

ssl_protocols SSLv2 SSLv3 TLSv1.2 TLSv1.1 TLSv1;

Note : Depending on your nginx.conf file, the configuration may be slightly different. However, the ssl_protocols line should be under the server block listening to port 443.

Restart nginx and run the SSL query again at https://www.ssllabs.com/ssltest/ for your website. TLS 1.2 support should be enabled by now.





By Adam Ng

IF you gain some knowledge or the information here solved your programming problem. Please consider donating to the less fortunate or some charities that you like. Apart from donation, planting trees, volunteering or reducing your carbon footprint will be great too.


Advertisement