I am testing my website using ssllabs and getting a **B ** grade because TLS 1.0 and TLS 1.1 are allowed.
However, to the best of my understanding my nginx configuration should not allow TLS 1.0 and TLS 1.1.
In nginx.conf I have:
http {
ssl_protocols TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
}
Also, under /etc/nginx/sites-enabled/ I have a host specific conf file with the following configuration:
server {
listen 443 ssl;
listen [::]:443 ipv6only=on;
server_name www.mydomain.com;
ssl_certificate /etc/nginx/ssl/mycert.crt;
ssl_certificate_key /etc/nginx/ssl/my.key;
**ssl_protocols TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;**
}
OS: alpine
nginx version:
nginx/1.22.1
built with OpenSSL 3.0.5 5 Jul 2022 (running with OpenSSL 3.0.8 7 Feb 2023)
TLS SNI support enabled
This is running as docker container under aws-lightsail container service.
I also tried adding a default server configuration and tried listing explicit list of strong ciphers but both of these did not help.
I can connect to my website using openssl with TLSv1.1 (openssl s_client -connect www.mydomain.com:443 -tls1_1
):
I am getting a TLS 1.1 connection with cipher ECDHE-RSA-AES128-SHA which according to my understanding should not be allowed.
2
Answers
I found the problem. This is happening because I am using AWS ssl certificate which in the environment of lightsail containers implies that there is a load balancer which does the ssl termination. So actually, this is out of my control at this point
Two reasons why this could be happening.
OpenSSL
compiled in your Nginx and the one being used is different. This may cause some conflicts, and undefined behavior. Recheck your compilation parameters and 3rd party Nginx modules(they can modify compilation flags).ssl_protocols
directive is only effective in thedefault_server
(if you set it in default_server, it effects every server_name/server context). Check how to locate/define default_server in your configuration and see if it is overriding your test parameters.