6

My nginx confid files looks like:

 server {
   listen          80;
   listen [::]:80;

   server_name hostserver.ru www.hostserver.ru;
   return 301 https://hostserver.ru$request_uri;

   server_tokens off;
  }

 server {
   listen 443 ssl http2;
   listen [::]:443 ssl http2;
   server_name     hostserver.ru www.hostserver.ru;

   ssl_certificate /etc/letsencrypt/live/hostserver.ru/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/hostserver.ru/privkey.pem;
   ssl_dhparam /etc/ssl/certs/dhparam.pem;
   ssl_session_timeout 1d;
   ssl_session_cache shared:SSL:50m;
   ssl_session_tickets off;
   ssl_protocols TLSv1.2;
   ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-R$
   ssl_prefer_server_ciphers on;
   add_header Strict-Transport-Security "max-age=31536000" always;
   ssl_stapling on;
   ssl_stapling_verify on;

   root /var/www/html;
   index index.html index.htm;
   server_tokens off;

   ... some location stuff...
}

Ufortunatelly, TLS1.2 not supported by Android 4.0-4.3 and I've chanched config:

   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

But after using SSLTest it shows me report that TLS1 and TLS1.1 are not supported.

Did I missed smth to change in config files? Thanks in advance.

UPDATE: I've checked certificates by command: 

openssl s_client -tls1 (and so on) -connect example.org:443 < /dev/null

and certificate enabled for each protocol.

micsha123
  • 655
  • 2
  • 7
  • 20
  • Did you restart the server after making those changes? – Rob Dec 23 '17 at 15:20
  • @Rob Yes! I restarted nginx and whole ubuntu server - no effect – micsha123 Dec 23 '17 at 15:35
  • 1
    You might want to check which ciphers work with TLSv1 and TLSv1.1. Testing my site, GCM ciphers are listed against only TLSv1.2 - you may want to add some more ciphers. E.g. `ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";` – Richard Smith Dec 23 '17 at 15:50
  • @RichardSmith you're right! Would you post your comment as answer? – micsha123 Dec 23 '17 at 16:23
  • you can list SSL ciphers using `nmap -script ssl-enum-ciphers -p PORT HOSTNAME` – andrej Aug 24 '23 at 10:19

2 Answers2

5

I don't know which ciphers work with TLSv1 and TLSv1.1. But I notice from testing sites with SSLTest, that the GCM ciphers are listed against TLSv1.2 only.

You may need to use a more inclusive list of ciphers.

For example:

ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
Richard Smith
  • 45,711
  • 6
  • 82
  • 81
  • 3
    Yep! I've changed list of my cyphers (there were only supported TLS1.2). For newbies in this question I can recommend https://mozilla.github.io/server-side-tls/ssl-config-generator/ - I had smth like "Modern" type. – micsha123 Dec 23 '17 at 17:03
  • 1
    I have the same issue (nginx 1.18.0, OpenSSL 1.1.1f) and wrote `ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "ALL";`, then restarted nginx, but it's not making any difference. SSLTest still shows support fon TLSv1.2 only. – Thomas Oct 11 '20 at 15:58
  • 1
    Turns out, the OpenSSL configuration `/etc/ssl/openssl.cnf` also plays a role in this, and can forbid protocols (and probably ciphers) even if nginx is requesting them explicitly. I found https://stackoverflow.com/a/61568390/14637 whith helped solve the problem. – Thomas Oct 11 '20 at 16:18
  • 3
    Add `@SECLEVEL=1` in the cipher list: `ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:@SECLEVEL=1";` see https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html for levels – JPelletier May 31 '21 at 19:49
  • 1
    @JPelletier The only one that worked for me! You just saved my day! – Swap Aug 01 '22 at 17:39
1

Using Ubuntu 22.04, getting TLS 1.0/1.1 to work is a massive pain, as it appears that Ubuntu's openssl 3.0 build doesn't include TLS 1.0/1.1 support at all.

I was able to get it to work by:

  1. Building openssl 1.1.1 branch from source

  2. Building nginx from source after uninstalling libssl-dev so it finds the local built openssl - and make sure to enable the modules you need

  3. Updating the openssl config

  4. Updating the Nginx config

  5. Updating my systemd service to use the local nginx build

Caveat emptor. Keep in mind that if you do this you won't get automatic security updates.

Cyanfish
  • 3,907
  • 1
  • 14
  • 12