Nginx - Disable unsecure SSL protocols

To keep your website as safe as possible, it is important to ensure that it only works with secure protocols. Disabling insecure protocols is therefore strongly recommended. Currently, all SSL protocols are insecure, and TLS 1.0 and TLS 1.1 are labeled as end-of-life. TLS 1.2 is still secure, but TLS 1.3 is preferred.

In NGINX you can do this by indicating in your configuration which protocols may be used. NGINX will then no longer use protocols not specified.
Shown below is an example configuration. The lines marked in 'bold' indicate which protocols may be used:

server {
listen 443 ssl;
ssl on;
ssl_certificate /etc/ssl/uw_certificaat_bundel.crt;
ssl_certificate_key /etc/ssl/uw_privatekey.key;
ssl_protocols TLSv1.3;
access_log /var/log/nginx /nginx.vhost.access.log;
error_log /var/log/nginx/nginx.vhost.error.log;
location / {
root /home/www/public_html/;
index index.html;

Restart NGINX for the changes to take effect:

sudo service nginx restart

To check whether a website allows unsafe protocols, you can perform a SSL check.

You can use the Mozilla SSL Configurator for the configuration standards.


Our SSLCheck will examine your website's root and intermediate certificates for correctness and report any potential issues

point up