I have a NGINX acting as a reverse proxy for our sites and is working very well. For the sites that need ssl I followed raymii.org to make sure to have as strong of a SSLLabs score as possible. One of the sites needs to be PCI DSS compliant but based on the latest TrustWave scan is now failing because of TLS 1.0 being enabled.
On the http level in nginx.conf I have:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
For the specific server I have:
ssl_protocols TLSv1.1 TLSv1.2;
I have changed ciphers, moved things out of the http level and to each ssl site server but no matter what when I run:
openssl s_client -connect www.example.com:443 -tls1
I get a valid connection for TLS 1.0. SSLLabs puts the nginx setup for the site as an A but with TLS 1.0 so I believe the rest of my setup is correct it just will not turn off TLS 1.0.
Thoughts on what I could be missing?
openssl version -a
OpenSSL 1.0.1f 6 Jan 2014
built on: Thu Jun 11 15:28:12 UTC 2015
platform: debian-amd64
nginx -v
nginx version: nginx/1.8.0
Best Answer
The problem here is that the
Server name indicationpart of TLS negotiation is done after the connection itself has been negotiated. And the protocol is negotiated during connection negotiation.It might be possible to enforce no TLS v1.0 for that virtual host if you configure that virtual host to an IP address on the server that has no other virtual hosts associated with it. Therefore nginx would know based on the IP address that no TLS v 1.0 is allowed.